IID-MC4  SM  VERIFVINQ  TEWORflL  PROPERTIES  ttITHOUT  USIM  TEHPORM. 

L00IC(U>  CORNELL  UNIV  ITHflCR  HV  »EPT  OF  COHPUTER 
SCIENCE  B  ALPERN  ET  AL.  DEC  83  CU-CS0-TR-8S-723 
unclassified  N88814-8e-K-8892  F/O  9/2 


■ 

! 

1 

END 

Unc lassit led _ 

CLASS^F  CATION  0“^ 


AD- A 164  820 


m 


a  SEC-R  C^ASS'F  CA 

L'nclassif  ied 


;a  SECURITY  C.ASSiE'CAT;0^  Al'-ORi’’^ 


:b  DECLASS. F  CAT  OIVJ  OOWMGRAOil^G  SCmEOUl 


4  performing  ORGANIZATION  REPORT  N0M8ER(S) 

Cornell  University  TR  85-723 


bd  NAME  OF  PERFORMING  ORGANIZATION 
Cornell  University 


6c  AOORE55  Oty,  Stare,  andZiPCade) 

Dept,  of  Computer  Science 
Cornell  University 
Ithaca,  \’Y  14853 


ea  NAME  OF  P'.^ND'NG  SPONSORING 
ORGANIZA'ON 


)N  PAGE 

j  o  >.,.'  VE  MAR<,NGS 


3  OlS’RiSUTON  AVAiLABiLlTv  OF  REPOR' 

Uni imited 


5  MONITORING  ORGANIZATION  REPORT  NLMBERIS) 


6o  QFPiCE  Symbol  Ta  NAME  OF  MONITORING  ORGANlZA^  ON 
(If  applicable) 

Office  of  Naval  Research 


7b  ADDRESS  iOfy,  State  and  ZIP  Code) 

800  North  Quincy  Street 
Arlington,  VA  22217-5000 


Office  of  Naval  Research 


3c  AODRESSfOty,  State,  and  ZIP  Code) 

800  North  Quincy  Street 
Arlington,  VA  22217-5000 


3D  OFP'CE  SYMBOL  9  PROCUREMENT  NSTRUMENT  DENT  F  CAT'ON  NUMBER 
(If  applicable) 

N00014-86-K-0092 


’0  SOURCE  OF  PUNDiNG  NUMBERS 


program 


PROJECT 

'ASK 

NO 

NO 

WORK  JNiT 
ACCESSION  NO 


'-E  (Include  Security  Claisif'catton) 

Veriiyini;  Temporal  Properties  without  using  Temporal  Logic 


■:  personal  au'-0»(S) 


Bowen  Alpern,  Fred  B.  Schneider 


'P£  OF  REPORT 


:VEN'ARv  nOTA''ON 


1  3b  time  covered 
FROM  _  'O 


14  DATE  OF  REPORT  (Y^r.  Month.  Day)  15  PAGF  COUNT 
Decemoer  1985  4l 


9SA'i  CODES 


-D  'ROuP  Subgroup 


8  SuBiECT  terms  (Continue  on  reverse  if  necessary  and  identify  by  block  number) 

concurrent  programs,  temporal  logic,  program  verification, 
property  recognizers,  Buchi  automata 


9  uas'RAC  Continue  on  reverse  if  necessary  and  identify  by  block  number) 

A  lu-w  .ipproach  for  proving  temporal  properties  of  concurrent  programs  is  presented.  The 
.inn r. 'ac!i  does  mu  use  temporal  logic.  To  show  that  a  program  satisfies  a  given  temporal 
T  pert'.',  Che  property  is  first  decomposed  into  proof  obligations.  These  obligations 
ire  ch.en  liischarged  bv  devising  suitable  invariant  assertions  and  variant  functions  for 
lin'  nr  -cram.  The  approach  is  quite  general  -  it  handles  a  superset  of  the  properties 
I  aC  e an  he  expressed  in  linear-time  temporal  logic. 

0  DTIC 

,N  T#^ELECTE»% 


L  'a  i'J  ' 


■ 


FEB  2  7  1986  . 

I 

B 


D 


I  IS’RB  'ON  AVAicABIL  TV  OF  abstract 
3  M  .ASS  F  ED 'jNl  moed  □  same  as  RPT 


□  OTIC  USERS 


,  )  NAME  OF  RESPONSIBLE  NOIVIDUAL 

:  is .  Si  line  icier 


DO  FORM  1473.  34  mar 


21  ABSTRACT  SECURITY  CLASSIFICATION 


22c  OFFICE  SYMBOL 


83  APR  edition  may  be  used  until  exhausted 
All  other  editions  are  obsolete 


SECUffirv  CLASSIFiCAflON  OF  THIS  PAGE 

8  6  ?  )  '1 


Verifying  Temporal  Properties 
without  using  Temporal  Logic* 

Bowen  Aipern 
Fred  B.  Schneider 

TR  85-723 
December  1985 


Department  of  Computer  Science 
Cornell  University 
Ithaca,  NY  14853 


This  work  is  suoporred  in  part  hv  NSK  li’ifani  UCK-332()‘274  and  a  ^rcint  from  the  Office  .a 
Naval  Researcn 


Verifying  Temporal  Properties 
without  using 
Temporal  Logic 


Bowen  Alpern 
Ficd  B.  Schneider 


Depvtxnent  of  Computer  Sdenoe 
Cornell  University 
Ithaca,  New  York  14853 

December  23, 1985 


ABSTRACT 

A  new  approach  for  proving  temponi  properties  of  ooocunent  programs  is  presented. 
The  approach  does  not  use  temporal  logic.  To  show  that  a  program  satisfies  a  given 
temporal  property,  the  property  is  first  decomposed  into  proof  obligations.  These  ob¬ 
ligations  are  then  discharged  by  devising  suitable  invariant  assertions  and  variant 
fimetions  for  the  program.  The  approach  is  quite  general — it  handles  a  ruperset  of 
the  properties  that  can  be  expressed  in  linear-time  temporal  logic. 


*Thn  vrark  is  suppened  ia  pKt  by  N7  Gras  DCR-S32a274  md  ■  fiant  Craa  cte  Office  of  Naval 
Researdb. 


u 


1.  Introdnctiaa 

Experience  has  shown  that  whik  it  may  be  possible  to  understand  a  sequential  program 
by  considering  some  subset  of  its  executions,  this  is  impossible  for  oonanreat  programs.  Con* 
sequently,  over  the  past  15  years,  there  has  been  increasing  interest  in  ways  to  deduce  proper* 
tics  of  program  behavior  from  the  program  text  itself.  The  program  text  obviously  enntainm 
all  the  information  rvifVd  to  decide  what  executions  are  praaihle.  Moreover,  while  the 
number  of  possible  executions  is  likely  to  be  intractably  large,  only  a  single  program  text  need 
be  analyized. 

An  execution  of  a  program  can  be  viewed  as  a  potentially  infinite  sequetKe  of  states 
ralTf-d  a  history.  In  a  history,  the  first  state  is  an  initial  state  of  the  program  and  each  follow¬ 
ing  state  results  from  executing  a  single  atomic  action  in  the  precerfing  state.  In  a  concurrent 
or  (fistributed  program,  a  history  is  the  sequence  of  states  that  results  from  interleaving  the 
atomic  actions  of  the  ptoce.vies  as  they  execute. 

A  property  a  set  of  leqtienoes  cf  states;  a  program  satiates  a  property  if  each  of 

its  histories  is  in  the  set  by  the  property.  A  property  can  be  spedfied  as  a  predicate 

on  sequences.  This  allows  the  essence  of  the  property  to  be  made  explidt. 

Some  examples  of  properties  frequently  arising  in  practice  follow. 

•  Partial  Correctness  includes  all  sequences  of  program  states  such  that,  if  the  first 
state  in  the  sequence  satisfies  some  given  precootfition  and  the  sequence  is  finite, 
then  in  the  final  state  the  program  counter  denotes  the  end  of  the  program  and  some 
given  postoontfition  is  satisfied. 

•  Total  Correctness,  which  is  stronger  than  ^rtial  Corrrc.rnf.ss,  includes  all  sequences 
such  that  if  the  first  state  in  the  sequence  satisfies  some  given  precondition,  then  the 
sequence  is  finite  and  the  value  of  the  program  counter  in  the  final  state  denotes  the 
end  of  the  program  as  svell  as  satisfying  some  given  postcontfition. 

•  Mutual  Exclusion  includes  all  sequences  in  which  there  i:  no  state  where  the  program 
counters  for  two  or  more  processes  denote  control  paints  inside  critical  sections. 

•  Deadlock  Freedom  includes  all  sequences  in  which  there  is  no  state  where  both  0) 
sona:  process  has  no  enabled  atomic  actions  and  (ii)  no  subsequent  execution  by  any 
other  process  can  alter  that. 

•  First-come  First-served  includes  all  sequences  in  which  processes  that  request  service 
in  one  order  are  not  serviced  in  another  order. 

•  Starvation  Freedom  includes  ail  sequences  in  which  a  process  with  an  atomic  action 
that  is  enabled  frequently  enough  will  make  progress  eventually. 


-1- 


Fonnulas  of  temporal  logic  caa  be  interpreted  as  predicates  on  sequences  of  states,  and 
various  formulations  of  temporal  logic  have  been  used  for  specifying  properties  of  interest  to 
designers  of  concurrent  programs  [Lamport  83a]  [Lamport  83b]  [Manna  &  Pnueli  81a] 
[Wolper  83].  While  there  is  not  general  agreement  on  the  details  of  such  a  specification 
language,  there  is  agreement  that  temporal  logic  provides  a  good  basis  for  such  a  language 
and  it,  or  something  close  to  it,  is  sufficiently  expressive. 

Temporal  logic  has  also  been  used  in  proving  properties  of  concurrent  pn’jgratrLs  [Pnueli 
77]  [Manna  <&  Pnueli  81b]  [Manna  Pnueli  84]  [Owicid  &  Lamport  82].  Here,  a  program  is 
regarded  as  defining  a  collection  of  temporal  logic  axioms.  The  programmer  proves  a  pro¬ 
perty  of  interest  by  using  these  axioms  along  with  program-independent  axioms  and  inferenoe 
rules  of  temporal  logic  [Manna  A,  Pnueli  83].  Various  parka  gings  of  the  approach  avoid  the 
necessity  of  making  temporal  inferences  by  restricting  the  class  of  properties  that  can  be 
proved.  Examples  include  Hbare’s  logic  far  Partial  Gnrectness  of  sequential  programs 
[Hoare  69]  and  its  extension  to  concurrent  programs  [Owicid  A  Cries  76],  GHL  (Generalized 
Hoare  Logic)  for  proving  safety  properties  of  concurrent  programs  [Lamport  80]  [Lamport  A 
Schneider  84],  and  proof  lattices  for  proving  Ihnmess  properties  [Owicid  A  Lamport  82]. 

This  paper  introduces  a  new  approach  for  proving  properties  of  (concurrent)  programs. 
The  approach  can  a  broad  class  of  proper  ties,  inciurfing  any  property  that  can  be 

in  temporal  logic.  Using  our  approach,  to  prove  that  a  program  satisfies  some 
given  property,  invariance  obUgaiions  and  variance  obiigations  are  constructed.  Invariance 
obligadoQS  are  cfischarged  by  fincfing  certain  invariam  assertions  and  showing  that  they  are 
preserved  by  execution;  variano:  obligations  are  cfischarged  by  fincfing  variant  functions  and 
showing  that  they  decrease  fctllowing  certain  events.  Hoare’s  partial  correctness  logic  is  used 
to  show  that  the  invariant  assertions  are  preserved  by  execution  and  that  the  variant  functions 
are  decreased  by  execution. 


2.  Specifying  Properties 

Our  approach  is  based  on  specifying  properties  by  using  property  recognizers,  winch  are 
limilar  to  Buchi  automata  [Ellenberg  74].  We  are  not  advocating  property  recognizers  as  the 

far  a  specification  language,  but  we  have  found  them  to  be  a  convenient  starting  point 
for  our  verification  method.  Mechanical  procedures  exist  to  translate  any  temporal  logic  for¬ 
mula  into  a  correspontfing  property  tecngnirer  [Alpem  86]  [Wolper  84],  so  starting  with  pro¬ 
perty  recognizers  does  not  constitute  a  restriction.  In  fact,  property  recognizers  are  more 
expressive  than  most  temporal  logic-based  specification  languages  there  exist  properties  that 
can  be  specified  using  property  recognizers  but  cannot  be  specified  in  (most)  temporal  logics 
[Wolper  83]. 


A  property  recognizer  thfiae  sequences  of  program  states  that  are  in  the  property 

it  Properties  can  «nntam  infinite  seqiiearrs  as  well  as  finite  ones,  so  a  property 

recognizer  must  be  able  to  accept  both  kinds  of  sequencrs.  Recall  that  a  finite  state* 
■iitnwuitnn  a  finite  sequencB  if  and  only  if  it  halts  in  an  accepting  state  after  reading 

the  fiTMl  symbol  [Hopooft  &  UQman  79].  A  Buchi  automaton  is  a  finite-state  automaton  with 
an  acceptance  criterion  that  allows  it  to  infinite  sequences— it  acrrpts  an  infinite 

vqnenre  if  and  Only  if  it  enters  an  urnepring  state  infinitely  often  while  reatfing  that  sequence 
[Hilenberg  74].  A  property  recognizer  is  an  automaton  that  behaves  like  a  standard  finite- 
state  automaton  for  finite  input  and  like  a  Buchi  automaton  for  infinite  input 

sequences. 

An  erampie  of  a  property  recognizer,  m^jg^,  is  given  in  Figure  2.1.  It  defines  the  set  of 
yqiv»nrr<  consisting  of  s  (possibiy  empty)  pw-fiv  of  states  in  which  each  state  satisfies  pret£- 
cate  -P,  immetfiately  followed  by  either  (i)  an  infinite  sequence  of  states  in  which  P  holds  for 
.-iirh  state,  or  (ii)  a  finite  sequence  of  states  in  which  P  holds  on  all  except  the  last  state. 

Property  recognizer  m^g^  <y»nniim  three  automaton  states  labeled,  ^q,  and  ^2* 
start  is  denoted  by  an  arc  with  no  origin,  irsfissite-accepting  states  by  concentric  drdes, 
and  finite-accepting  states  by  bullets  (•).  An  infinite  sequence  is  accepted  by  a  property 
recognizer  only  if  it  causes  the  rrmgynrer  to  be  infinitely  often  in  some  infinite-accepting 
state.  A  finite  sequence  is  accepted  by  the  property  recognizer  only  if  it  causes  the  recog¬ 
nizer  to  halt  (at  the  end  of  its  input)  in  some  finite-aocepting  state.  In  m^g^,  ^ 0  is  the  start 
state,  f  ^  is  an  infinite-accepting  state,  and  ^2  ^  *  finite-accepting  state. 

Arcs  between  automaton  states  are  hy  program  state  presficates  called  transition 

predicates.  These  H^fiiig  transitions  between  automaton  states  based  on  the  next  symbol  read 
from  the  input.  For  example,  the  arc  labr.led  P  from  to  ft  in  m^^g^  means  that  whenever 
mgjg^  is  in  f 0  ^  symbol  read  is  a  program  state  satisfying  P,  then  a  transition  to 

ft  is  If  the  next  symbol  read  by  a  property  racognizer  satisfies  no  transition  pretficate 

on  an  arc  emanating  from  the  current  automaton  state,  the  input  is  rejected;  in  this  case,  we 
say  the  transition  is  undefined  for  that  symboL  This  is  used  in  m^g,^  to  ensure  that  every 


Figure  2.1. 


finite  sequence  it  «» i-i-pr *  ends  with  a  sin^  program  satisfying  -P’,  no  further  tiansitiona  are 
passible  from  herauar  there  are  no  ares  emanating  from  it. 

When  there  is  more  than  one  start  state  or  more  than  one  transition  is  passible  from 
some  automaton  state  for  some  input  symbol,  the  property  rncngnizer  is  non-d£terministic\  oth> 
eiwise  it  is  deterministic.  Thus,  is  deterministic  because  it  has  a  single  start  sate  and 

disjoint  transition  pretficates  label  the  arm  that  emanate  from  each  automaton  sate. 

Formally,  a  property  recognizer  m  for  a  property  of  a  program  tr  is  a  sextuple 
{•5 »  C 1  Go*  QfiAt  ^)*  where 

5  is  the  set  of  program  sates  d  ir, 

C  is  the  set  of  automaton  sates  of  m, 

GqCG  is  the  set  of  start  sates  of  m, 

Qit^Q  is  the  set  of  infinite-accepting  sates  d  m, 

G/in^G  is  the  set  of  finite-accepting  sates  of  m,  and 
8<((2xj)  -  1<2  is  the  transition  fitncdon  d  m. 

Transition  pietficates  are  derived  from  8  as  follows.  T/y,  the  transition  predicate  atsnriatrd 
with  the  are  from  automaton  sate  qi  to  is  the  predicate  that  oolds  for  all  program  sates  s 
such  that  qj  i  8(^,>r).  Thus,  T^y  is  false  if  no  symbol  can  cause  a  transiQon  from  qt  to  qj. 

In  order  to  formalize  when  m  accepts  a  sequence,  some  definitions  are  required.  For 
any  sequence  a  =  jq  ...  , 

a{i]  »  j, 

a(..j]  «  sqSi...j, 

|o|  m  the  length  of  a  (u  if  a  is  infinite). 

Transition  function  8  can  be  extended  to  hantfie  finite  sequences  of  program  sates: 

({q}  if  |o|=0 

“  ({,,'1  q-  €8(^,  am  A  q'  « 8V.  a{l..])}  if  0<|<t|<« 

A  nut  of  m  for  an  input  o  is  a  sequence  of  automaton  sates  that  m  could  be  in  while  reacfing 
a.  Thus,  for  p  to  be  a  run  for  <r,  p{0]  €  Qo,  and  (Vl:  0<i<lo'l:  p[l]  «8(p{<-l],tr(l-l])).  Let 
r„((r)  be  the  set  of  runs  of  m  on  a.  (It  is  a  set  because  m  might  be  non-deterministic.) 

A  finite  sequetxs  a  is  accepted  by  m  if  and  only  if  8*(fo,  <r)r(2yj„#0.  For  an  infinite 
sequence  a,  define  lNF„(a)  to  be  the  set  of  automaton  sates  that  appear  infinitely  often  in 
any  dement  of  r„(o).  Then,  a  is  accepted  by  n»  if  and  only  if  INF„(a)rQi^*0. 

Any  set  of  finite  that  can  be  recognized  by  a  aon-deterministic  finite-sate 

automaton  can  be  recognized  by  some  determinisnc  finite-sate  automaton  [Hopcrcft  Sc,  UU- 
mati  79].  Unfortunatdy,  Buchi  automaa,  hence  property  recognizers,  do  not  enjoy  this 
equivakncB — there  are  sets  d  infinite  sequences  that  can  be  recognized  by  non-deterministic 


property  recognuxTS  but  by  no  deterministic  one  [Elenberg  74].  This  will  ultimately  require 
that  we  use  diffenent  techniques  for  those  properties  spedfied  by  non^deterministic  property 
recognizers  from  those  specified  by  deterministic  ones. 

Examples  of  Property  Recognizers 

A  property  recognizer  for  Partial  Correctness  is  shown  in  Hgure  2.2  and  one  for 
Total  Correctness,  n.^,  is  shown  in  Figure  2.3.  In  them,  Pre  is  a  transition  predicate  that 
holds  for  states  satisfying  the  given  precondition.  Done  holds  for  states  in  which  the  program 
counter  denotes  the  end  of  the  program,  and  Post  holds  for  states  satisfying  the  given 
postoondition. 


Done  »  Post 


Figure  2.3. 


A  property  rccogaizer  for  Mutual  Exclusion  of  two  processes,  is  given  in  Rgure 

2.4.  There,  transition  predicate  Cj^  holds  for  any  state  in  which  process  (tji)  is  exe* 
cuting  in  its  critical  section. 


Figure  2.4. 

Starvation  Freedom  for  a  mutual  exclusion  protocol  is  specified  by  ffinorv  of  Figure  2.5.  A 
process  becomes  enabled  when  its  state  satisfies  the  predicate  Request^,  which  characterizes 
the  state  of  whenever  it  attempts  to  enter  its  critical  section,  and  maV-M  progress  when  its 
state  satisfies  the  predicate  Served^,  which  holds  whenever  enters  its  critical  section. 
Nodoe  that  exploits  the  fact  that  in  a  mutual  excluaion  protocol  will  malt^  but  a  sin¬ 
gle  request  for  each  entry  into  the  critical  section. 


•'Served^ 


Served  i 


Figure  2.5.  »»ij 


3.  Specifying  Progranu 

A  program  ir  consists  of  a  pretficate  Init^  charartwHriTig  its  initial  states  and  a  mllffTrinn 
of  atomic  actions  Presumably,  Init^  asserts  that 

•  the  program  coimter  for  each  process  b  ir  denotes  the  first  statement  of  that  pro¬ 
cess,  and 

•  other  program  variables  have  appropriate  values  aeoordSng  to  any  inirialiTafifm  b 
their  declarations. 

Knowbg  the  atomic  actions  of  a  concurrent  program  is  necessary  b  order  to  understand 
its  execution,  sbee  they  define  the  grab  of  bterkavbg  of  proressrs.  The  atomic  actions  b  a 
process  define  its  controi  points — the  set  of  values  that  can  be  stored  b  the  program  counter 
for  that  process.  We  am  denote  the  oontroi  pobts  of  a  program  by  nambg  them  within 


braces  in  the  program  text;  this  results  in  a  coiaroi-point  annouxtion.  For  example,  program 
itq  of  Figure  3.1  conaists  of  two  sequential  processes,  and  each  with  a  single  atomic 
actian  and  two  control  points.  The  atomic  action  in  process  ^  is  called  and  the  control 
paints  in  are  labeled  1  and  2. 

Every  sequential  process  ir  has  a  program  counter  pe^  We  can  use  this  variable  in 
describing  states  of  the  program.  For  example,  defines  the  state  of  uq  at  its 

Stan  and  pc^^2Ape^»4  at  its  finish.  The  program  counter  of  a  sequential  pmrp«  differs 
from  other  program  variables  in  that  usually  only  a  single  process  may  update  it  and  direct 
assignments  to  it  are  not  permitted.  Each  atomic  acnon,  however,  changes  the  value  of  the 
program  counter.  For  example,  atomic  action  in  itq  changes  pc^  (from  1  to  2)  as  well  as 
incrementing  x.  The  assignment  to  pc^  by  though  not  explicit,  can  be  deduced  from  the 
positian  of  a  ^  in  the  program  text. 

By  definition,  atomic  acnons  are  executed  indhnaibiy  and  to  completion,  so  an  atomic 
actian  cannot  be  started  unless  it  will  terminate.  We  therefore  assume  an  atomic  action  Is 
delayed  until  the  state  is  one  that  will  permit  its  termination.  Using  angle  brackets  to  denote 
an  atomic  action,  of  itq  is 

{ifpc^^l  -  pc^,  X  ;»  2,  x+1  fl).  p.l) 

Here,  we  use  the  multiple  assignment  statement  of  [Cries  81]  and  the  If  of  [Dijkstia  76].  The 
semantics  of  If  require  that 


itq:  cobegia 

{1:} 

a^:  X  :=  x+1 

{2:} 

// 

t|»:  {3:} 

a-ii  X  x+l 

{4:} 

cocad 


Figure  3.1.  Simple  Program 


If50  -50Q  ...  D5ii  -5ii  fl 

abort  if  executed  in  a  state  wheie  none  of  the  guards  EO,  ...,  Bn  holds.  Thus,  (3.1)  is 
delayed  until  the  program  counter  for  proceas  4)  is  1,  and  then  (without  interruption)  atomi* 
cally  updates  the  program  counter  and  increments  x.  An  atomic  action  might  be  delayed  for 
reasons  other  than  the  program  counter  value.  A  P  operation  in  process  -rr  on  a  general  sema* 
phoie  xem, 

...  {a:}  P(j«»i)  {i:}  ... 
defines  an  atomic  action  0: 

{]! pc^=aAsem>(i  -  pc,,  sem  :=  b,  ssm—l  fl)  (3.2) 


An  atomic  action  is  enabUd  in  any  state  where  its  execution  would  not  be  delayed.  Let 
Enabied{a)  be  the  set  of  states  in  which  a  is  enablexl  In  Figure  3.1, 

EnabUd{a{^  *  pc^  =  \ 

and  in  (3.2), 

EnabUdifi)  =*  pc^=a  a  xein>0. 

We  can  use  Enable  to  characterize  states  in  which  a  program  ir  is  blocked  and  can  tnahe  no 

furtlKT  progress  because  there  are  and  will  be  no  enabled  atomic  actioos: 

Blocked^  w  A  -t  Enabled  (a) 
a:a<A. 


The  effects  of  an  atomic  action  a  can  be  dr.finfd  as  a  relation  between  the  program  state 
before  and  after  it  is  executed.  This  relation  can  be  described  by  a  triple  {/*}  a  {Q},  which  is 
valid  if  executing  a  in  a  state  satisfying  P  either  does  not  terminate  or  terminates  is  a  state 
satisfying  Q.  P  is  called  the  precondition  and  Q  the  postcondition. 

Progranmiing  logics  to  prove  validity  of  a  triple  involving  a  wpn^rial  program  -it  are 
well  known  [Hoare  69].  One  is  summarized  in  Figure  3.2.  If  the  semantics  of  an  atomic 
action  a  is  described  as  a  sequential  program,  then  such  a  logic  and  the  following  inference 
rule  can  be  used  to  infer  triples  giving  the  semantics  of  a. 


For  example,  tetuming  to  -itq  of  Figure  3.1,  we  can  establish  the  validity  of 
{x=0}  {x  =  l}  as  follows: 

{x=0}  pc^,  X  :=  2,  x  +  1  {x-1}  (Assignment  Axiom) 

{x=0  A  pc*=*l}  pc*,  X  :=  2,  x  +  1  {x=l}  (Rule  of  Gmsequenoe) 


Skip  Axiom:  {?}  skip  {P} 

Assignment  Axiom:  z  :*  J  {P} 

■■■  (J’Aj.)fa(a} 
{P}  If  iO  -  MQ  ...  Q  i«  -  in  fl  {g) 


do  Ruie: 


{P  aPO}  si  (P},  •  •  •  {P  Agn}  Sn  {P} 


{P}  do  PO  -  56  (]  ...  Q  Pr  -  5n  od  {P  a  -  PO  a  ...  a  -  Bn} 


«  .  P^P'.  fP'}5(C2'},  Q'^Q 

Rule  of  Gmsequenoe:  - {P }  5  {Q} - 

Conjunction  Ruk.  ^ 


Figure  3.2.  Partial  Correctness  Logic 


{z=0}  \tpc^=l  -  pc^,  x:»2,  z+1  fl  {x=*l}  (if  Rule) 

{z=0}  (lf/jc^  =  l  -  pc^,  X  :=  2,  x+1  fl)  {x  =  l}  ({  )  Rule) 

{x=0}  ai  {x  =  l}  (definition  of  a  J 

This  type  of  reasoning,  which  we  employ  frequently  in  the  sequel,  is  facilitated  by  the  follow¬ 
ing  derived  rule  of  inference, 

„  ,  (P  aP}  5  {Q} 

Atomic  Action  Ruk: 

4.  Verificatioa  of  Dctenniniatic  Properties 

The  basis  for  our  approach  to  verifying  that  a  program  ir  satisfies  a  property  P  is  the 
observation  that  if  a  property  recognizer  w  for  P  accepts  every  history  of  -ir,  then  -rr  satisfies 
P.  In  this  section,  we  consider  verification  of  properties  that  are  by  deterministic 

property  recognizers;  in  section  8,  we  consider  non-deterministic  property  recognizers.  Sound¬ 
ness  and  completeness  proofs  are  given  in  the  Appendix. 

Let  m  be  a  deterministic  property  recognizer  for  property  P.  One  can  think  of  m  as 
simulating — in  an  abstract  way — any  program  that  satisfies  P.  Thus,  to  show  that  a  program 
tr  satisfies  m,  we  demonstrate  such  a  correspondence  between  m  and  rr.  We  do  this  by  defin¬ 
ing  a  correspondence  invariant  Ci  for  each  automaton  state  A  comspomUnce  invarianx  C( 


-9- 


for  an  automaton  state  la  a  predicate  such  that  Ci  holds  on  a  program  state  s  if  and  only  if 
there  exists  a  history  of  ir  coataining  a  program  state  s  and  m  enters  qi  upon  reading  s. 
Thus,  if  ffi  is  ever  in  automamn  stale  qi,  the  last  program  state  it  read  must  satisfy  C,.  Gm* 
straints  satisfied  by  conespiiaucace  invariants  are  defined  inductively,  as  follows. 

For  the  base  case,  initially,  m  is  in  state  and  ir  is  in  a  state  characterized  by  !nit^ 
Suppose  that  upon  reading  sq,  the  first  program  state  of  some  history  of  it,  m  enters  automa¬ 
ton  state  qj.  Thus,  sq  satisfies  Init^  and  Tqj,  the  transition  predicate  labeling  the  edge  that 
connects  q^  and  qj.  Therefore,  Cj  must  satisfy  a  Tqj)  »  Cj;  for  any  automaton  state  qj 
entered  upon  reading  die  first  symbol  of  any  history  of  it,  we  require 

(ij:  A  Tqj)  =►  Cj).  (4.1) 

Next  we  must  prtTve  the  induction  step.  Assume  that  if  m  enters  automaton  state  q/ 
upon  reading  program  state  in  a  history  cf  ir  and  then  satisfies  C,.  Gmsider 

rhe  ease  when  m  reads  Suppose  m  is  in  state  qt  and  that  upon  reading  program  state  a 
transition  is  made  to  automaton  state  qj.  By  the  induction  hypothesis  satisfies  C,  and  sj^ 
satisfies  transition  predicate  Tjj.  The  appropriate  correspondence  invariant  Cj  will  hold  pro¬ 
vided  {CJ  a  {Tij  =>  Cj}  is  valid  for  any  a,  an  atomic  action  erf  it.  (If  a  is  not  enabled  in 
then  the  triple  is  trivially  valid.)  Generalizing  to  handle  any  atomic  action  and  any  automa¬ 
ton  state  that  m  might  be  in  when  is  read,  we  require: 

For  all  a:  a  «  A.^-' 

For  ail  /;  qj  i  Q: 

(CJ  a  {  A  (T.^  =»  Cj)}  (4-2) 


Thus,  any  collection  erf  predicates  satisfying  (4.1)  and  (4.2)  are  correspondence  invariants  for 
m  and  ir. 

In  order  to  establish  that  ir  satisfies  P ,  we  must  show  that  every  history  of  ir  is  accepted 
by  m.  There  are  exactly  three  ways  that  m  might  fail  to  accept  a  history  <7  of  it; 

(1)  m  attempts  an  undefined  transition  when  reading  a. 

(2)  If  <7  is  finite,  m  halts  in  a  non-finite-accepting  state. 

(3)  If  (7  is  infinite,  m  never  enters  an  infinite-accepting  state  after  some  finite  prefix  of  <r. 

Thus,  in  order  to  prove  that  every  history  of  ir  satisfies  P,  it  suffices  to  show  that  (l)-(3)  are 
impossible. 

Two  obligations  ensure  that  (1)  is  impossible.  Hrst,  we  must  show  that  m  can  make 
some  transition  from  its  start  state  upon  reachng  the  first  program  state  in  a  history: 


(4J) 


Second,  we  must  show  that  m  can  always  make  a  transition  upon  leading  subsequent  states  in 
a  history.  If  m  is  in  state  qi  then  the  program  state  just  read  by  m  satisfies  a  correspondence 
invariant  C,.  To  avoid  an  undefined  transitian,  any  atomic  action  a  that  is  then  executed 
must  transform  the  program  state  so  that  one  of  the  transition  predicates  emanating  from 
q,-  holds.  This  is  guaranteed  by 
For  all  a:  a  € 

For  all/:  /4  4n 

{C,}a{  V  Ty} 


We  can  exploit  the  fact  that  m  is  deterministic  to  combine  and  simplify  the  obligations 
derived  so  far.  In  a  deterministic  property  recognizer,  the  transihon  predicates  on  arcs 
emanating  from  any  automaton  state  are  disjoint.  Thus, 

<yi,J,k:  qt.qj.qk’-Q  ^  J^k:  (Ttj^T^^faise).  (4J) 


Using  (4.5),  we  combine  (4.1)  and  (4-3),  to  obtain 
Shnniatloa  Basis:  /m/_  =>  (  v  (To/  a  C,)), 

and  combine  (4.2)  and  (4.4),  to  obtain 

Shnoladon  Induction:  For  all  a:  a  $  A.^^: 

For  all  /:  qfi  Q: 

(Q  « (Tij  ^  Cj)} . 


(4.6) 


(4.7) 


To  ensure  that  it  is  impossible  for  m  to  halt  in  a  dan*&nite-«coepting  state— (2)  above— 
the  correspondence  invariant  for  any  non-finite-aooepting  state  must  hold  only  for  program 
states  in  which  subsequent  execution  by  -ir  is  inevitable.  Since  Q  bolds  of  the  last  program 
state  read  by  m,  and  Blocked^  holds  for  all  program  states  of  ir  in  which  subsequent  execu¬ 
tion  is  not  possible,  we  require 

Finite  Acceptaoce:  (V/:  qi^Q-Q^^  Ct  »  -- Blocked,).  (4.8) 

Finally,  we  ensure  that  (3)  is  impossible.  A  set  C'  <3f  automaton  states  is  strongly  con¬ 
nected  if  and  only  if  there  is  a  seqtience  of  transitians  from  any  element  ai  Q'  lo  any  other 
without  involving  an  automaton  state  outside  d  Q'.  A  rejea  knot  k  is  a  ni«Tim«i  strongly 
connecied  subset  of  Q  containing  no  infinite-accepting  states.  It  may,  however,  contain 
finite-accepting  states.  In  order  to  show  that  (3)  is  impossible,  we  must  prove  that  no  run  for 
an  infinite  history  of  -nr  is  restricted  to  automaton  states  in  Q-Quf-  We  do  this  by  construct¬ 
ing  a  variant  function  v^  for  each  reject  knot  k. 


-11- 


A  variant  function  is  a  function  from  automaton  and  program  states  to  some 

well-founded  set.^  For  simplicity,  assume  that  this  well-founded  set  is  the  Natural  Numbers. 
We  require  that  whenever  v^(9,j)=0  for  any  automata  state  q  and  program  state  s,  either  q 
is  not  in  K  or  else  ^  is  a  finite-accepting  state  and  r  is  the  last  state  in  the  history. 

Knot  Exit;  (V/:  qi^tt:  (v^(q/)=0)  »  Blodud^v^C^)  (4.9) 

This  mrans  that  if  v^(q) »  0,  either  the  history  is  finite  and  will  be  accepted  by  m  or  an 
infinite-accepting  state  has  just  been  entered  since  the  property  recognizer  is  no  longer  in  k. 
Finally,  to  ensure  that  the  variant  function  does  reach  0,  we  require  that  it  is  decreased  by 
every  atomic  action  in  ir  that  might  be  executed: 

Knot  Variance:  For  all  a:  a  $ 

For  all  qi  i  k: 

{C,A0<v,(4,)=V}a{  A  ((r,^AC^)=>v^(4^)<V)} 

Note  that  requiring  that  v^(^)  be  decreased  by  execution  of  any  eligible  atomic  action 
does  not  preclude  proving  properties  under  various  fairness  assumptions.  To  prove  that  a  pro¬ 
perty  P  holds  assuming  some  fairness  property  F  holds,  a  property  recognizer  far  P  is 
constructed  and  proof  obligations  are  extraoed  from  it.  Standard  techniques  exist  to  con¬ 
struct  a  property  recognizer  for  F  =>  F  from  property  recognizers  for  F  and  P  [EHenbcrg  74]. 

The  five  proof  obligations  Simulation  Basis  (4.6),  Simulation  Induction  (4.7),  Fmite 
Acceptance  (4.8),  Knot  Exit  (4.9),  and  Knot  Variance  (4.10) — are  of  three  haMe  forms. 
Simulation  Basis  (4.6),  Finite  Acceptance  (4.8),  and  Knot  Exit  (4.9)  involve  proving  that 
predicate  logic  formulas  are  valid.  Simulation  Induction  (4.7)  involves  proving  invariance  of 
some  assertions.  Knot  Variance  (4.10)  involves  proving  that  certain  events  cause  variant 
functions  to  be  decreased.  Of  course,  the  intellectual  challenge  in  proving  that  a  program 
satisfies  a  property  lies  not  in  checking  the  proof  obligations,  but  in  devising  the  correspon¬ 
dence  invariants  and  variant  functions.  The  proof  obligations,  however,  do  give  insight  into 
forms  the  correspondence  invariants  and  variant  function  might  take.  In  particular,  the  proof 
obligations  define  a  collection  of  equations  whose  unknowns  are  the  correspondence  invariants 
and  variant  functions.  Solving  the  equations  admittedly  a,  difficult  task — would  provitfe  the 
desired  correspondence  invariants  and  variant  functions. 

5.  A  Detailed  Example 

To  illustrate  our  verification  method,  we  prove  that  if  program  Vq  of  Figure  3.1  is 
started  in  a  state  where  then  it  will  terminate  tvith  z~2.  This  is  an  instance  of  Total 
Grrrectness. 

‘'nie  progfim  sute  anumeit  is  ooftea  Itft  implidL 


For  irg,  we  have 

Blodud^^  *  pc^»2  A  pc^^A 

and  {oj,  ai},  wbeic 

ttj  *  (lf;?c*=l  -  /je*.  X  :»  2,  jc+1  fl) 
an  *  (lf/7C^-3  -  X  :=»  4,  x+1  fl). 

A  property  recognizer  m^g  for  Total  Gjnectneas  appears  in  Figure  2J.  For  predicates 
Pre,  Post,  and  Done  we  choose: 

Pre  *  x=0 

Post  ■  x  =  2 

Done  *  P^i*2  a  pc^^A 

Thus,  m,g  accepts  every  sequence  of  states  such  that  if  x=0  holds  for  the  first  state,  then  the 
sequence  is  finite  and  the  fixial  state  is  one  in  which  x=>2  and  both  ^  and  4*  have  terminated. 

We  first  define  correspondence  invariants  for  each  of  the  four  automaton  states  of  m^g. 

Cq  *  faise 

Cj  ■  pc^^l  »■  ((pc^-3s»x»0)A(pc^-4».x-l))  A 
pc*-2  »•  (0»c,,,=-3»x-l)Apc4,^t4))  A 
pe^=3  =>  (07c*»1=>x=O)a(pc*='2»^x“1))  a 
pc^»4  =>  (^c*=l»x*l)Apc*^2)) 

Cn  *  true 

C3  ■  pci=2  A  pc^=A  A  x=2 
To  satisfy  Simulation  Basis  (4.6),  we  must  show  that 

fntt^^  ^  ((fiiifeACQ)v(Pre  A-iDone  ^Ci)'/(-nPre  /\Cn)v(Pre  ^Done  /^PostAC^) 

is  valid.  Substituting,  we  get 
(pc*»l  A  pc,j,=3) 

»  (/iiii»v(x»0A-^  (pc^=2Ape^»4)ACi)v(x^0)v(x*0Apc*“2Apc^»4AX“2)), 
which  is  valid. 

To  satisfy  Simulatioo  Induction  (4.7),  we  must  show  for  each  a  (  that  the  following 
triples  are  valid: 


-13- 


{Cq}  a  {(rgoACg)  V  (TojaCi)  V  V  (T03AC3)}  (5.1) 

{CJ  a  {(TioaC.o)  V  (TuaCJ  V  iT^AC2)  v  (r^ACj)}  (5.2) 

{C2}  a  {(r;o''^^o)  (T22,^C-^  V  (r23AC3)}  (5-3) 

{C3}  a  {(r3QACo)  V  (r3iACj)  V  (Ty^^C-^  V  (r33AC3)}  (5.4) 

Since  the  triples  for  a2  are  symmetric  with  those  for  a^,  we  prove  only  the  former. 

Triple  (5.1)  is  valid  because  Cq  =  false  and  {faise}  a  {i?}  is  valid  for  any  R. 

Substituting  for  the  transitian  predicates  in  (5.2)  and  simplifying  yields 
{C^}  aj  {{-iDone  AC{)'^(Pon£  aPosx  ACy)}.  (5-5) 

From  definition  (3.1)  of  and  the  Atomic  Action  Rule,  to  prove  the  validity  of  (5  J),  it  suf¬ 
fices  to  demonstrate  the  validity  of 

{CiApc^=l}  pc^,  X  :=  2,  x  +  1  {(-iDom  aC])v(Do»k  APojrAC3)}. 

Expanding  and  substituting,  this  is 

{(pe^=3=>x=0)  A  0e^,=4s>x  =  l)  a  pc*=l} 
pc*,  X  ;=  2,  x+1 

{(->(pc*=2  A  pc*=4)aCi)  V  (pc*=2  A  pc*=4  a  x=2)} 
and  fallows  from  the  Assignment  Axiom  and  Rule  of  Gmsequence. 

Triple  (5-3)  simplifies  to  {tnu}  a;  {true}  because  C2  =  T22  =  true  and  is  valid. 

Triple  (5.4)  simplifies  to  {C3}  {false)  because  Tjq,  Tyy,  Tyyi  “d  T33  are  all  false — 
those  transitions  are  not  possible  in  m^g.  From  definition  of  aj^  (3.1)  and  the  Atomic  Action 
Rule,  to  prove  (5.4)  it  stiffices  to  show  validity  of 
{C3Apc*  =  l}  pc*,  X  :=  2,  x+1  {false). 

Since  (C3Apc*  =  l)  =  false,  this  reduces  to  {false}  pc^,  x  2,  x  +  1  {false)  which  is  valid. 

To  satisfy  Finite  Acceptance  (4.8),  since  Qfl„-  {<?2,  qy)  we  must  prove  that 
(Co  »  -'B locked A  (Cl  =»  -'Blocked.^J. 

Substituting  and  simplifying,  we  get 

(false  »  (^Blocked^J)  a  (C^  =>  (pc*#2  v  pc^:^4)), 

which  is  valid. 

The  final  two  obligations  concern  reject  knots.  There  is  a  single  reject  knot  k  =  in 
m,g.  Define 


Knot  Exit  (4.9)  requires  that 

(v,(4i)«0)  =>  Block^d^^v^C^. 

This  is  valid  because 

(''k(^i)*0)  Otfi-2  A  /»c^=4) 

»  Blocked-  . 

To  satisfy  Knot  Vaiianoe  (4.10),  we  miist  establish  the  validity  of  2  triples: 
{Cia0<v^(4i)=V}  oi  {(-DoiuACJ»V)fe(4i)<V}  (5.6) 

{Cia0<v,(4i)=V}  aj  {(-DoneACJs- vt(^l)<V}  (5.7) 

We  give  details  only  for  the  first;  the  second  is  similar.  Using  definition  (3.1)  of  the 
Atomic  Action  Rule,  and  the  Ruk  of  Gmsequenoe,  to  prove  (5.6)  it  suffices  to  prove 
{Cl  A  0<v^(^i)“V  A  pc*-l}  pc^,  X  2,  x+1  {v^(^i)<V}. 

This  is  valid  because  changing  pc^  from  1  to  2  deaeases  v^. 

6.  Property  Outlines 

A  property  outline  provides  a  compact  representation  of  the  correspondence  invariants 
and  the  Simulation  Induction  (4.7)  obligations  for  a  given  property  recognizer  and  program. 
Property  outlines  play  much  the  same  role  in  our  approach  to  verification  as  proof  outlines  do 
for  verifying  Partial  Garrectoess  using  Hoaie’s  partial  correctness  logic — they  make  it  easy  to 
do  verification  informally  and  make  it  easy  to  present  a  proof.  In  fact,  proof  outlines  and 
property  outlines  are  closely  related,  as  we  show  in  section  6.4. 

6.1.  Proof  Outlines 

A  proof  outline  for  a  concurrent  program  ir  is  the  text  of  ir  annotated  wi±  an  assertion 
at  Aarh  oontroi  point  cp.  Each  assertion  is  a  first-order  prerficate  logic  formula  involving 
the  program  variables  and  program  counters  of  w.*  A  proof  outline  is  vaUd  provided: 

Proof  Outline  Validity:  Executing  any  enabled  atomic  action  in  a  state  where  the  asser¬ 
tions  associated  with  the  oontroi  points  denoted  by  program  counters  hold  produces  a 
state  in  which  the  assertions  associated  with  the  control  paints  denoted  by  program 
counters  still  hold. 

Proving  validity  of  a  proof  outline  for  a  concurrent  program  can  be  reduced  to  proving 


*The  caojiioci  pe^^cp  is  oftai  left  hnplidt  and  oBStted  froB  io  a  proof  outline  for  procesa 


the  validity  of  a  collection  of  triples  [Owicid  St  Cries  76].^  This  is  done  as  follows,  where 
pre(a)  is  the  assertion  immediately  preceding  a  in  the  proof  outline  and  post(a)  is  the  asser¬ 
tion  immediately  following  iL 

Sequential  GirrectnesK  For  each  atomic  action  a  in  the  proof  outline,  prove 

{pre(o)}  ct  {post(a)}. 

Interference  Freedom:  For  each  atomic  action  a  in  the  proof  outline  and  every  assertion 
in  a  process  different  from  the  one  containing  a,  prove: 

{pre(a)  A  R)  a  {R}. 

6.2,  Property  Ontlinea 

A  property  outline  for  property  recognizer  m  and  program  ir  is  obtained  by  adding  infor¬ 
mation  about  correspondence  invariants  to  a  control-point  annotatian  for  -ir.  For  each  control 
point  cp,  we  specify  for  every  automaton  state  q  cd  m  what  must  hold  when  the  program 
counter  denotes  cp  if  the  property  recognizer  is  in  a  state  q.  This  is  done  by  placing  a  pro¬ 
perty  assertion  at  each  control  point  in  a  control-point  annotation  for  ir. 

A  property  assertion  has  the  form 

P’  <IO^Po  I  I  •••  1 

where  P  is  a  label,  q^,  ...,  q„  are  the  automaton  states  of  m,  and  Fq,  P^,  ....  P^  are  first- 
order  predicate  logic  formulas  involving  the  program  variables  of  ir  (possibly  including  pro¬ 
gram  counters).  P  holds  in  an  automaton  state  qi  and  program  state  t  if  j  satiafies  A 
property  outline  for  ir  and  m  is  valid  provided: 

Property  Ootliac  Validity:  Executing  any  enabled  atomic  actian  in  an  automaton  state  q 
and  program  state  s  where  the  property  assertions  associated  with  the  control  points 
denoted  by  program  counters  hold  prodwes  a  program  state  s'  that  causes  the  property 
recognizer  to  make  a  transitioo  to  an  automaton  state  q'  in  which  the  property  assertions 
assodatr-d  with  the  control  paints  denoted  by  program  counters  still  hold. 

Figure  6.1  is  a  valid  property  outline  for  iHjc  (Total  Correctness)  and  irg  (of  Figure  3.1). 

We  can  exploit  the  similarity  in  the  definition  of  validity  for  proof  outlines  and  for  pro¬ 
perty  outlines  in  developing  a  procedure  to  prove  valicfity  at  a  property  outline.  a  pro¬ 

perty  triple 

{P:  qQ-Pf)  I  ...  I  a  {Q:  <fo~Qo  I  —  I  (6.1) 

^  an  «trnie  acnoD  like  '*!”  or  at  CSP  spam  aure  chan  one  prooesa,  cho  a  third  ofaligatioo.  variously 
called  jaaddeium  or  eoepmaem  mm  also  be  sadizied  Our  resula  for  property  outliaes  can  also  be  generalized 
along  these  lines. 


irQ:  cobegfai 

{1:  <jo~/aZ*e  1  ^i~(pc^»3»x=0)A(pc^=4s.i-l)  I 
<J2~  true  I  «i3~/diie} 
a^:  X  t*  x+1 

{2:  qQ~faLs£  |  (pc^^3=>  x^l)A^pe^*4  | 

q2'-tTue  I  ^3~pc*=2Apc^»4Ai=2} 

// 

{3:  ^o~/^  1  =  =  I 

^2—  true  I  ^3--jSiii»} 
a2i  X  ;»  x+1 

{4:  qo--faise\qi~(pCi,»ls^x^l)Apc^*2\ 

q2~tnu  I  ^3--;7C**2apc^-4ax-2} 

coend 


Figure  6.1.  Example  Property  Outline 


to  be  valid  if  execution  of  a  in  an  automaton  state  qt  and  program  state  satisfying  P,  either 
does  not  terminate  or  terminates  in  a  program  state  s  such  that  (i)  s  causes  the  property 
recognizer  to  make  a  transition  to  automaton  state  qj  and  (ii)  s  satisfies  Qj.  Note  that  (6.1) 
cannot  be  a  parrial  correctness  logic  triple  because  it  contains  property  assertions  in  its  pre* 
and  postcondition.  However,  the  interpretation  of  (6.1)  is  quite  similar  to  the  interpretation 
of  a  partial  correctness  logic  triple.  In  fact,  if  wc  can  show  bow  to  establish  the  valitfity  of  a 
property  triple  like  (6.1)  and  one  like 

{Pa/J}  a  {P},  (6.2) 

where  P  and  R  are  property  assertions,  then  we  have  solved  the  problem  of  establishing  the 
validity  of  a  property  outline.  This  is  because  we  can  then  use  Sequentiai  Gxrreccoess  and 
Interference  Freedom  to  reduce  the  problem  to  showing  that  a  collection  of  property  triples 
are  valid.  The  soundness  of  this  approach  for  establishing  property  outline  vaiiifity  is  based 
on  the  wme  argument  as  for  proof  outline  valitfity. 

Baaed  on  the  interpretation  of  property  assertions,  note  that: 

((^0~^ 0  I  •*•  I  ^  I  I 

■  I  -  I 


-17- 


(6-5) 


TTius,  it  suffices  to  be  able  to  prove  the  validity  of  property  triples  like  (6.1)  since  using  (6J), 
those  like  (6.2)  can  always  be  transfonned  to  be  like  (6.1).  We  therefore  turn  to  the  problem 
of  proving  validity  of  property  triples. 

To  prove  the  validity  of  (6.1),  it  suffices  to  prove  the  following  partial  correctness  logic 
triples. 

{^o}  «  {(rooACo)v...v(ro„A(2„)}  (6.4) 

[P{^  a  (6.5) 

The  first,  (6.4),  establishes  that  execution  of  a  in  a  state  sansfying  either  does  not  ter¬ 
minate  or  terminates  in  a  state  satisfying  Tqj^Qj,  for  some  J.  From  this,  we  conclude  that 
gTcmtion  of  a  in  a  state  satisfying  P(\  with  m  in  automaton  state  either  does  not  terminate 
or  terminates  in  a  state  s'  satisfying  Tqj^Qj  makes  a  transition  to  automaton  state  qj 

upon  reading  this  (next)  symbol  in  the  history  being  generated  by  ir.  Thus,  Q  holds  for  the 
case  that  m  is  started  in  <70.  Repeating  this  argument  for  the  temaining  triples,  we  find  that 
no  matter  what  automaton  state  w  is  in  when  a  is  executed,  Q  will  bold  if  a  terminates. 
Thus,  (6.4)- (6.6)  together  imply  that  executing  a  in  a  state  satisfying  P  either  docs  not  ter¬ 
minate  or  terminates  in  a  state  satisfying  Q,  hence  {?}  a  {Q}. 

We  illustrate  this  approach  for  proving  validity  of  a  property  outline,  on  the  one  in  Fig¬ 
ure  6. 1.  There  are  two  Sequential  Correctness  obligations: 


{1}  aj  {2}  (6.7) 

{3}  a,  {4}  (6.8) 

And,  there  are  four  Interference  Freedom  obligations: 

{1  A  3}  {3}  (6.9) 

{1  A  4}  ai  {4}  (6.10) 

{3  A  1}  a.  {1}  (6.11) 

{3  A  2}  a,  {2}  (6.12) 


The  details  for  only  one  at  these  property  triples  will  be  given;  the  remaining  ones  are  left  to 
tte  energetic  reader.  Property  triple  (6.7)  is: 


(6.13) 


{1:  qQ-faise  1  (pc^”3=>x*0)A(pc^“4=>x-l)  | 

tru£  I  qj~fais£} 
aj^:  X  :»  x  +  1 

{2:  qQ~  false  1  (pc^-3»x“l)Apc^^4  | 

q2~true  ]  ?3~pc*»2Apc^-4Ax*2} 

Decomposing  fhi*  into  partial  correctness  logic  triples  we  gee 
{false} 

{(Pre  A  Done  a  (pc^=3  =>■  x= 1)  Apc^^4)  v  (-.  Pre) 

V  (Pre  A  Done  a  Post  a^c^ = 2  a pc^ =4  a  x =2)} 


{(pc^ = 3  »  X  =*  0)  A  =*  4  a.  X  =  1)} 

ai  (6.14) 

{(-.  Done  A  = 3  =>  X  =  1)  A  pc^  it  4)  V  (Done  A  Poxr  Ape^ = 2  A  pc^  “  4  A  X  “  2)} 

{true}  a  I  [true]  (6.15) 

{false}  O]!  {false}  (6.16) 

Triples  (6.13)  and  (6.16)  follow  trivially  becansc  the  precondition  of  each  \s  false;  (6.14)  fol¬ 
lows  from  the  Assignment  Aziam;  and  (6.15)  follows  because  the  postcondition  is  tme. 


6.3.  Proof  ObUgatkMU  and  Proiicitj  Outlines 

The  proof  obligations  of  section  4  are  baaed  on  using  correspondence  invariants  that  link 
prngriTTi  States  and  property  recognizer  states.  Therefore,  to  show  that  ir  satisfies  m  using  a 
property  outline  PO  for  m  and  ir,  we  must  be  able  to  extract  from  PO  the  correspondence 
invariant  for  each  automaton  state  of  oi.  Doing  this  turns  out  to  be  trivial,  due  to  the  way 
property  assertions  are  Each  property  assertion  in  a  property  outline  contains  a  piece 

of  every  correspondence  invariant.  These  pieces  are  labeled  by  the  automaton  state  to  winch 
they  correspond  (by  the  “q  ~”)  and  are  exactly  the  part  of  the  correspondence  invariant  that 
must  hold  whenever  a  program  counter  denotes  the  control  point  to  which  the  property  asser¬ 
tion  is  attached. 


Given  a  pmgniTn  tr  consisting  of  a  set  of  processes  PROC^  Let  CP^  be  the  set  of  control 
paints  in  pro*^*  for  .  Suppose  the  property  assertion  attached  to  control  point 

cp  in  a  valid  property  outline  for  ir  and  m  is  of  the  form  iqo'“P^  I  I  •••  1 

Then, choose 


Ct 


A 

itPROC, 


A  (pC^,~Cp=>Pf) 
ep*C?^ 


(6.17) 


as  the  invariant  for  automaton  state  fj.  This  choioe  eliminates  the  need  to 

demonstrate  gmniatinn  Induction  (4.7>— this  obligation  is  subsumed  by  having  established 
validity  of  the  property  outline,  as  we  now  show. 


Gmsidcr  as  atcmic  action  from  a  proceaa 
a:  (if  pci=cp  -  J,  pc^  e,  cp'  fl  ) 

wheie  X  is  a  vector  of  the  program  vanables  cbasged  by  executing  a  and  e  is  a  vector  of 
expressions  whose  values  are  assigned  to  those  variables.  Simulation  Induction  (4.7)  tequires 
that  we  prove,  for  each  automaton  state 

{c,}  a  {(r,oACo)v...v(rj„AC„)} 

According  to  the  Atomic  Action  Rule  and  Rule  of  Qmsequence,  this  is  implied  by 

{C,Apc^=cp}  X,  pc*  ;=  7,  <7»'  {pc*=cp'  A  ((r,QACo)v...v(ri„AC„))}.  (6.18) 

The  precondition  and  postcondition  of  (6.18)  can  be  because 

(C,  Apc*=cp)  =  (Cr*Apc*=cpAPf^,  where 


Cf* 


A  A  (pC*  =  Cps»i»fO, 

^i|fPROC,  qxCP,  ^ 


SO  we  have 

{i»fPACr*ApC*=>Cp} 

X,  pc*  :=■  7,  cp’ 

{pc*=<7»'  A  ((r,oA-pf'ACo-*)v...v(r«A/»7AC-*))}. 


(6.19) 


Therefore,  due  to  the  Gmjunction  Rule  and  the  fact  that  transition  predicates  are  disjoint,  it 
suffices  to  prove 

{i»^^Apc*='q»}  X,  pc*  :*  7,  cp'  {pc*=cp'  a  ((T.oaP^’  )'^  —  ))},  and  (6.20) 

{f»fPACr'‘Apc*=cp}  x,pc^:^e,cp'  {pc*=cp' A((r,oAC(f*)v... v(rj;,AC"'^)}  (6.21) 


Notioe,  (6.20)  is  exactly  what  was  proved  in  the  Sequential  Correctness  step  of  establish¬ 
ing  validity  of  PC.  Now  we  prove  (6.21).  Using  the  Conjunction  Rule  and  the  d^nirinn  of 
Cj~^,  it  suffices  to  prove: 

Foralliji:  a  ^fiPROC.^ 

For  aU  c;  c  €  CP*: 

{Pf  APfApc*='cp}  X,  pc*:=7,  cp'  {pc*=cp'  A  ((r,oAP5)v...v(r*,AP^)} 

And,  these  triples  are  exactly  what  was  proved  in  the  Interference  Freedom  step  of  establish¬ 
ing  validity  of  PO. 

Thus,  given  a  valid  property  outline  for  m  and  ir,  in  order  to  prove  that  ir  satisfies  m, 
extract  the  corresponderKZ  invariants  from  the  property  outline  and  prove  Simuladon  Ra«d< 
(4.6),  Finite  Aooeptanoe  (4.8),  Knot  Exit  (4.9),  and  Knot  Variance  (4.10) — Simulation  Induc¬ 
tion  (4.7)  follows  immediately  from  valirfity  of  the  property  outline. 


6.4.  Proof  Ontlinco  ReTisited 


Proof  outlines  for  partial  logic  can  be  formulated  as  property  outlines.  Let 

POpd  be  a  valid  proof  outline  for  a  concunent  program  v  where  assertion  is  associated 
with  <^<•>1  control  point  cp  in  ir.  A  valid  property  outline  that  embodies  the  informa* 

tion  in  POp^  is  one  in  which  each  control  point  qt  has  associated  with  it  a  property  asaertian 
qo~P^.  POprop  is  for  (given  in  Figure  6.2)  and  ir. 

true 


Figure  6.2. 

Validiry  of  POp^gp  follows  from  the  partial  correctness  logic  triples  for  Sequential  Correctness 
and  Interference  Freedom  used  to  establish  validity  cf  POp^. 

7.  Mntnal  Eachiaton  Example 

Solving  tlx:  mutual  exduaioo  problem  involves  devising  protocols  to  ensure  that  two  or 
more  do  not  execute  in  criticai  sections  at  the  same  time.  A  good  solution  to  the 

mutual  exclusion  protocol  must  not  only  satisfy  this  Mutual  Exclusion  property,  but  should 
ensure  that  a  process  attempting  to  enter  a  critical  section  eventually  does  so,  assuming  no 
pwrwM  remains  forever  in  its  critical  section— Starvation  Freedom.  We  might  also  require 
that  a  protocol  satisfy  First-come  First-served,  which  asserts  that  requests  to  enter  a  chtical 
section  are  not  served  out-of-order. 

In  this  section,  we  prove  that  a  program  aits  baaed  on  the  two-process  mutual  ezdusion 
protocol  in  [Peterson  81]  satisfies  Mutual  Exdusion,  Starvation  Freedom,  and  First-come 
First-served.  The  interested  reader  might  wish  us  compare  our  proofs  with  the  operational 
proofs  for  .Mutual  Ezdusioa  and  Starvation  Freedom  in  [Peterson  81]  and  the  temporal  logic 
proofs  for  those  properties  in  [Pnueli  86]  and  for  First-come  First-served  in  [Pnueli  Manna 
83]. 

A  control-point  annotation  for  the  program  is  given  in  Fguie  7.1.  Assume  that  initially 
active^  ^  active^  =*  faise^  since  neither  aor  if  is  initially  executing  in  its  critical  section,  and 
that  turn  is  initialized  to  or  tif.  Thus, 

Initg^u  »  pc^^l  A  A  -xicdve^  a  -^active^  a  v 

Blockedff^  ■  active^  a  active^  a  tum^^  a  tum^if. 


crits:  cobegin 

<^:  {1:}  do  tru£  -  {2:} 

ncn  critical  section; 

{3:} 

active^  ;=  irus; 

{4:} 

turn  := 

{5:} 

(if  ->  active^  v  turn  =<^  -  sklpfl) ; 
{6:} 

critical  section; 

{7:} 

active^  :=  false 

od 

n 

{8;}  do  true  -  {9;} 

non  critical  section; 

{10:} 

active^  true; 

{11:} 

turn  := 

{12:} 

{If  ^  active^  v  tum=if  -  ikipfl); 

{13:} 

critical  section; 

{14:} 

active^  :=  false 

od 

coend 


Figure  7.1.  Peterson's  Protocol 


7.1.  Matnal  Exdnaton 

A  property  outline  for  process  of  crUs  and  property  recognizer  (sec  Figure  2.4) 
appears  in  in  Figure  7.2;  the  property  outline  for  is  symmetric.  The  only  non-trivial  part  of 
showing  that  Figure  7.2  is  a  valid  property  outline  is  showing  Interference  Freedom — in  par¬ 
ticular,  showing  that  execution  of  tli  cannot  invalidate  the  property  assertion  at  control  point 


(^;  {1:  qo'-tme} 

do  trut  -  {2: 

non  critical  sectian; 

{3:  qo'-frue} 
active^  :=  tnu' 

{4;  qQ~  active  J 
aim  <i>; 

{5; 

(If  -I  active^  V  <ujti=4>  -*  iklpfl  ); 

{6:  qQ'- active^  a  (/unj“<^  v  ^  active^  v  pc^  =  ll)} 
critical  section; 

{7;  qQ~true} 
active^  false 
od 


Figure  7.2,  Mutual  Exdusion  Property  Outl^ 


6,  since  this  is  the  only  property  assertion  in  that  mentions  variables  altered  by  execution  of 
til.  Execution  of  active^  true  \7y  ^  (at  control  point  10)  makes  pc^  =  11  true,  and  execution 
of  n<ni  :=  4»  by  til  (at  control  point  11)  makes  flini  =  4>  true.  Thus,  the  property  assertion  is 
not  interfered  with- 

To  prove  that  ir  satisfies  the  property  accepted  by  **  define  O*  and 

Cs^  in  terms  of  the  program  state: 

»  6^pc^^7 
a  13:Spc^:Sl4 

Next,  we  must  prme  Simulation  Basis  (4.6),  Smulation  Induction  (4.7),  Fmite  Acceptance 
(4.8),  Knot  Exit  (4.9),  and  Knot  Variance  (4.10).  We  can  use  (6.17)  to  extract  from  the  pro¬ 
perty  outline  a  conespondence  invariant  for  automaton  state  qt^ 


-23- 


Co  “  0>c*=4=>  jcrfv«i)  A  (pc^=5^  active^)  a 

(pc 6 »  {active^  a  (n«Ti=<^  v  -,active^  v  ;7C^  =  11)))  a 
(pc^  =  11  =>  active^)  a  (pc 12 »  active^)  a 
(pf^  =  D»>  (acrfv«^  A  (fl4ni=t(i  v  ->  active^  v  /7<r4=4))) 

Simulation  Basis  tequires  that  we  prove 

»  (-1  (Cj,^  a  Cj^)  a  Cq)  (7. 1) 

Substitutiiig  and  simplifying,  we  find  that  (7.1)  is  valid.  Simulation  Inducuon  (4.7)  follows 
because  the  property  outline  of  Hguie  7.2  is  a  valid.  Finite  Acceptance,  Knot  Exit,  and  Knot 
Variance  are  vacuously  satisfied  because  the  single  automaton  state  of  is  both  a  finite* 
accepting  and  infinite-accepting  state. 

7.2.  Starratioa  Freedom 

In  Peterson’s  mutual  exclusion  protocol,  process  a  request  to  enter  its  critical 

section  by  reaching  control  point  5;  its  request  is  serviced  when  it  reaches  control  point  6. 
Thus,  to  use  property  recognizer  irtj^  (Figure  2j5)  to  show  Starvation  Freedom  for  we 
choose  transition  predicates; 

Request^  =  pc  ^-5 
Served^  a  pc ^=6 

A  valid  property  outline  for  the  protocol  and  is  given  in  Figure  13.  Proving  Sequential 
Correctness  and  Interference  Freedom  is  simple  and  is  omitted  here. 

We  extract  correspondence  invariants  from  the  property  outline  using  (6.17); 

Co  "  (pc^9fc5=>  (/tt.Ti=<>  V  fl«ni=\j»))  A  (pc A  ^  active^  a  (pc^=5^faise) 

Cl  (pc^^5» false)  a  (/7c*=5  (<2crfv«^A(mni  =  <>  v  a«j7i=^)))  a 
(pc^^l2=>(pc^=5  A  fl«7i=^))  A  (pc^= 12s- pc* =5) 

To  prove  Simulation  Basis  (4.6)  we  show  that 
=►  Request v  (Request 

is  valid.  This  <iTwplififf!t  to 

pc*=“l  A  pc* =8  A  ~i active^  a  active^  a  (tum^^  v  ium=* 

=►  (pc^^^SaCq)  V  (pc*=5aCi) 

which  is  valid. 

Next,  we  prove  Finite  Acceptance  (4.8).  There  is  only  one  oon-finite-accepting  state  in 
'"mn-f  Ai-  Thus,  Finite  Accepcance  (4.8)  requires  that  we  show  that 
C<  9  -<  Blocked..^. 


crits:  cobegia 

<>:  {1:  v  <uni“^)  ]  qi‘-false} 

do  tru£  -  {2:  ^Q— V  /uni»t|»)  1  qi-fahe) 

aon  critical  section; 

{3:  qQ'~{tum»^  v  |  q^^faise} 

active^  :*  /ni«; 

{4*  q(f  active {pan— ^  v  (uni=‘\ji)  \  qi'-f<dse) 

turn  ;* 

{5:  qQ‘^false\q'^--acttve^/<{tuTn^^  v 

(If  -xKttve^  V  (uni«<^  -  akipfl  ); 

{6:  qQ'^itum’^^  v  atfn=\ji)  | 

critical  section; 

{7;  ^0“ (turn»<>  v  ]  q-^— false) 

active^  :=  false 


{8:  q(f“tme  ]  a 

do  true  -{9:  qo'-true  \qi‘^pc^=5  a  oimi=i|»} 
non  critical  section; 

{10;  qQ-^true  |  ^i--pc*“5  a 
active^  true; 

(11:  q^ftrue  \  ?i—pc*=5  a 
aim  :* 

(12:  q^-true  \  <?i-pc*=5} 

(If  ->acrfv«^  V  aim*^  -  akipfl  ); 

{13:  qQ““true  |  a  aim“t|>} 

critical  section; 

{14;  qtf'true  |  a  aim»t(>} 


active^ 


od 

coeod 


Figure  7  J.  Starvation  Freedom  Property  Outline 


is  valid.  It  is. 


Tbeie  is  one  rejea  ksot  k  =  [qi)  in  Choo&t  the  fallowing  as  a  variant  function 

for  the  knot. 


^<(4) 


0,  'dpc^*S 

1,  if /?c^=5Apc^=12A<uni»<^ 
2+{(ll-pc^)  mad  6),  if />C4=5Aau7i=\ji 


To  satisfy  Knot  Exit  (4.9),  we  must  prove 
(vj?i)=0)  a.  {Blocked^a^^C{). 

This  follows  because  Vn(4i)=0»pc4^5  and  pc^*5  »•  -'C^. 

To  satisfy  Knot  Vaiianoe  (4.10),  we  must  show  that  for  every  atomic  acnon  a: 

{Cl  A  0<v^(^l)=V}  a  {(-.J<frv«d*ACi)=>v^(^l)<V}  (7.2) 

Since  v^(4i)  =  l  =>  (pc4=5Apc^  =  12Aiur7i=<^),  and  (pc*=5ACi)»acrtve^,  it  suffices  to 
prove 

{active^  a  ^0^=5  a  pc^  =  l2  a  flo7i=<>}  a  {(-’5erv<d^ACi)s*  v^(<jl)<l}  (7J) 

for  each  atomic  action  a.  Only  the  atomic  actions  at  control  paints  5  and  12  are  potentially 
enabled  in  the  precondition  of  (7J),  and  from  active ^\tum=^,  we  conclude  that  the  one  at 
12  is  not  enabled.  Since  -<  Served  is  false  after  the  atomic  action  at  control  point  5  is  exe* 
cuted,  the  postcondition  of  (7  J)  is  true  and  the  triple  is  valid. 

Next,  we  show  that  (7.2)  is  valid  if  v^{q{)*2.  From  v^(^i)=2,  we  infcrpcj,=5Aiuj7i=\|» 
and  since  2+((ll-ll)  mod  6  =  2,  pc^  =  ll.  Thus,  if  suffices  to  show  that 

{pci=5  A  tum=^  A  pc^  =  ll}  a  {(-'Served^ACi) »  v^(^l)<2}  (7.4) 

is  valid.  Only  the  atomic  action  at  control  points  5  and  11  are  enabled  in  the  precondition  of 
(7.4),  so  they  are  the  only  ones  for  which  (7.4)  is  not  trivially  valid.  Executing  the  atomic 
action  at  control  point  5  makes  pc^=6,  hence  the  postcondition  of  (7.4)  is  true  and  the  triple 
valid;  executing  the  atomic  action  at  contnal  point  11  make-t  pc^  =  12  a  0071=4^,  which 
decreases  v^(^^  to  1. 

Finally,  we  show  that  (7.2)  is  valid  if  v,j(^j)>2.  If  y^(gi)>2  the  atomic  action  at 
control  point  5,  as  well  as  an  action  at  9,  10,  or  12- 14  must  be  enabled.  As  already  argued, 
executing  the  atomic  action  at  5  decreases  v^(^^  to  0.  Executing  an  atomic  action  at  9,  10, 
12,  14  also  decreases  Vk(9i)<  reaching  the  next  control  point,  the  value  of 

2+((ll-pc^)  mod  6)  is  decreased.  Execution  starting  from  13  causes  the  value  of 
2+((ll-pc^)  mod  6)  to  be  decreased  provided  control  point  14  is  reached.  Thus,  our  proof 
of  Starvation  Freedom  is  correct  only  if  <{1  is  guaranteed  to  exit  its  critical  section  after  enter- 


7.3.  Firat'Come  First-Mrrcd 

A  property  recognizer  for  Fint-oonie  Fint-acrvcd  for  criis  is  given  in  Figure  7.4.  Transi¬ 
tion  predicates  Request^  and  Served^  are  as  defined  above  for  Starvation  Freedom;  the 
remaining  two  transition  predicates  used  in  are; 

Reque^^  m 

Served^  = 

A  property  outline  for  aits  and  appears  in  Figure  7J.  Showing  that  the  Property  Out¬ 
line  is  valid  is  straightforward;  we  do  not  give  tl^  details  here.  Informally,  the  correspon¬ 
dence  invariants  characterize  states  as  follows. 

Cq:  either  does  not  have  a  pending  request  or  bas  a  prior  request  pending. 

C 1^:  ^  has  a  pending  request  and  ifi  does  not. 

C2:  both  and  4*  have  pending  requests  and  the  one  from  ^  was  prior  to  the  one  from 

4». 

Simulation  Basis  (4.6)  follows  trivially.  The  remaining  obiigationa — Finite  Acceptance 
(4.8),  Knot  Exit  (4.9),  and  Knot  Variatwe  (4.10) — are  vacuously  true  because  every  automa¬ 
ton  state  in  is  both  finite-accepting  and  infinite-acoepting.  Thus,  the  proof  is  completed. 

8.  Non-determiniatic  Property  Recognizers 

The  proof  obligations  of  section  4  concern  properties  spedfied  by  deterministic  property 
recognizers.  We  now  address  the  problem  of  proving  that  every  history  of  a  program  -ir  is 
accepted  by  some  given  non-deterministic  property  recognizer  Two  approaches  are  (fis- 
cussed.  In  the  first,  proof  obligations  are  extracted  directly  from  In  the  second,  a 

deterministic  property  recognizer  mg  is  constructed  that  accepts  every  history  of  ir  accepted 
by  ffivD,  but  not  necessarily  every  sequence  of  states  accepted  by  m^/g.  Then,  proof  obliga¬ 
tions  are  extracted  from  mg.  The  relative  compteteness  result  of  the  Appendix  establishes 


Fgure  7.4.  m/qi 


criti:  cobegin 

{1:  q(f-tTue  \  false  |  q^- false) 
do  true  -  {2:  q(ftrue  \  q^^ false  \  q^-^ false) 
non  critical  section; 

{3:  qff-true  \  q^-^ false  |  qi'- false) 
active^  /me; 

{4:  qQ~ active^  |  qi~ false  ]  q2'~ false) 
turn  ;*  «j»; 

{5:  qQ'-Request^f^tum='<ltf^active^  \  q^' — ^ Request active^  \ 
q2‘^ Request^  a  /urn = <^  a  active^ 

{\S-^ active^  v  /uni=<^  -  ikipfl  ); 

{6:  qQ—true  \  q^— false  |  (j2~/ais«} 
critical  section; 

{7:  qQ-true  \  q^~ false  \  q2'- false) 
active^  :=  false 
ad 

It 

it:  {8:  q Request active  i,  |  q  i~- Request active  i  q2~ false) 

do  true  -{9:  qQ‘-Reque3t^s>  active^  \qi~Request^=>  active^  \q2'^faise} 
non  critical  section; 

{10;  qQ~Request^^  active^  \  q Request active^  \  q2~~false) 
active^  :*  true\ 

{11:  qQ~ Request active^  1  q-^~Request^^  active^  |  q2~‘false) 
turn 

{12:  qQ-^Request^=>  {tum=it^active^  \ 

qi-'false  |  qi'^ active turn =i^) 

(If  -<  active^  v  tum=if  -  aklpfl  ); 

{13:  qQ~Reque^^^  active^  |  q Request ^=>  active^  \  q2“~false) 
critical  section; 

{14;  q Q‘-‘ Request active^  |  q^— Request active^  \  q2‘~faise) 
active :=  false 
od 

coend 


Figure  7.5.  First-come  First-served  Property  Outline 


that  the  second  appr::aca  always  works,  provided  the  program  has  a  nmte  state  space;  how¬ 
ever,  the  first  approach  is  often  simpler  and  more  convenient. 

8.1.  Eztnctiiig  Proof  Obllgationa 

TIk  proof  obligations  of  section  4  are  based  on  two  assumptions  that  hold  for  deter¬ 
ministic  property  recognizers: 

(1)  There  is  a  sin^  start  state. 

(2)  Disjoint  transition  predicates  label  arcs  emanating  from  each  automaton  state. 

These  assumptions  need  not  hold  for  non-deterministic  property  recognizers.  However,  given 
a  non-deterministic  property  recognizer  that  does  not  satisfy  assumption  (1),  it  is  easy  to  con¬ 
struct  one  that  does.  Thus,  in  adapting  the  proof  obligations  developed  in  section  4  for  use 
with  properties  specified  by  non-deterministic  property  recognizera,  we  need  only  be  con¬ 
cerned  with  assumption  (2). 

Assumption  (2)  is  in  section  4  to  combine  the  constraints  on  correspondence  invari¬ 
ants  with  the  proof  obligationa  that  prevent  undefined  cransitiona.  In  particular,  (4.1)  is 
merged  with  (4J)  to  form  Simulation  Basis  (4.6),  and  (4.2)  is  merged  with  (4.4)  to  form 
Simulation  Liduction  (4.7).  SinoB  this  merging  is  not  possthk  when  aazaiaoa  predicates  are 
not  disjoint,  the  reasoning  of  section  4  detates  that  for  a  given  program  ir  and  non- 
deterministic  property  recognizer  showing  (4.1),  (4.2),  (43),  (4.4),  Finite  Acceptance 
(4.8),  Knot  Exit  (4.9),  and  Knot  Variance  (4.10),  ensures  that  every  history  of  ir  is  accepted 
by  ffi.Mj. 

Unfortunately,  rtva^.  proof  obligations  may  be  too  strong — not  all  programs  that  satisfy 
mvzj  will  satisfy  (4.1),  (4.2),  (43),  (4.4),  (4.8),  (4.9),  and  (4.10)  because  these  obligations 
ensure  that  for  any  history  of  the  program,  every  run  of  is  accepting.  Recall,  a  property 
recognizer  an  infinite  sequence  provided  a  single  run  is  accepting.  With  a  determinis¬ 

tic  property  recognizer,  each  input  results  in  only  a  single  run,  so  ensuring  that  every  run  is 
accepting  is  equivalent  to  ensuring  that  the  single  run  is.  With  a  non-deterministic  property 
recognizer,  there  may  be  muitipie  runs.  Thus,  for  non-determinisne  property  recognizers,  the 
proof  obligations  are  more  restrictive  than  necessary. 

8.2.  Refining  Non-dctennlnistk  Recognizen 

Mon-determiniatic  property  recognizers  can  specify  properties  that  cannot  be  specified  by 
determiiustic  ones  [EHenberg  74].  However,  each  program  it  (with  a  finite  state  space)  that 
satisfies  a  property  accepted  by  a  non-deterministic  property  recognizer  must  also 
satisfy  a  property  Pq,  where  PdQ^sd  “  specified  by  a  determiniatic  property  lecog- 


nizer  niQ.  Thus,  to  prove  that  it  satisfies  a  property  ND  specified  by  it  suffices  to  con¬ 
struct  mg  and  prove  that  ir  satisfies  iL  We  call  mg  a  (Uterministic  reftnemeiu  of  «vd- 

The  construction  of  mg  involves  repeatedly  nsodifying  m^jg,  using  the  techniqties 
described  below,  so  that  it  becomes  progressively  more  deterministic.  Geariy,  valid  modifica¬ 
tions  mtist  never  cause  the  resulting  property  recognizer  to  accept  sequences  not  accepted  by 
the  original  one;  they  can,  however,  cause  fewer  sequences  to  be  accepted.  Satisfying  the 
proof  obligations  for  the  deterministic  refinement  ensures  that  aU  histories  of  the  program  are 
accepted  by  the  original  property  recognizer  m^. 

Modifications  for  obtaining  a  deterministic  refinement  fall  into  two  ciaiwa:  those  that 
result  in  an  automaton  that  accepts  the  sequences  as  the  original;  and  those  that  result 
in  an  automaton  that  accepts  fewer  sequences  than  the  originaL  The  second  class  of  modifi¬ 
cations  is  needed  because  some  aon-deterministic  property  recognizers  do  not  have  determinis¬ 
tic  equivalents. 

By  removing  transitions  from  m^,  the  resulting  property  recognizer  is  more  determinis¬ 
tic  and  can  accept  no  sequence  that  would  not  have  been  accepted  by  m^.  Thus,  this  form 
of  modificatian  is  one  way  towards  constructing  a  deterministic  refinement. 

Pruning:  Delete  transitions  in  the  property  recognizer. 

Frequently,  Pruning  is  performed  by  strengthening  transition  predicates  based  on  knowledge 
of  the  program  state.  This  form  of  Pruning  is  Ulustiated  in  Figure  8. 1. 


Before 


After 


Figure  3.1.  Pruning 


Here,  transitions  from  qQ  to  itself  under  program  states  that  satisfy  P  have  been  pruned. 

A  second  irxxiification  that  makes  a  property  recognizer  more  deterministic  is  to  com¬ 
bine  automaton  states. 

Combining:  Grmbine  states  if  it  does  not  permit  additional  sequences  to  be  accepted. 
When  combining  two  states  q'  and  q” ,  all  transitions  into  q'  and  q"  terminate  at  a  new  state 


*rhe  proof  of  Uns  appens  in  the  Appenciz  as  part  of  ’Jie  aTinpleteaess  result 


If  a  non^detennuiistic  chdoe  viiected  between  q  and  in  the  original  property  recognizer, 
then  that  choioB  is  no  longer  non-detenninistic  in  the  resulting  one.  Two  states  q'  and  q" 
can  be  combined  provided: 

Combining  Gmgment  States.  If  two  states  q'  and  q"  arc  congruent  then  they  can  be 
combined  and  the  resultant  property  recognizer  will  accept  the  same  set  of  sequences. 
Two  states  q'  and  q"  axe  congruent  if  and  only  if 

Cl:  neither  or  both  are  finite-accepting, 

_  * 

C2:  neither  or  both  ate  infinite-acoepting, 

C3:  if  there  is  a  transition  from  q'  to  q  under  program  state  s  then  there  also  is  a  transi¬ 
tion  from  q"  to  some  state  congruent  to  q  under  program  state  s. 

An  example  of  this  is  illustrated  in  Figure  8.2.  There,  ^2  93  combined. 


Figure  8.2.  Combining 

When  Cl  or  C2  of  Combining  Congruent  States  does  not  hold,  it  is  sometimes  possible 
to  promote  a  non-accepting  state  to  being  an  accepting  state  without  changing  the  set  of 
sequences  accepted  by  the  property  recognizer. 

Flnlte-accepdng  Promotion.  A  non-finite-acoepting  state  q  can  be  promoted  to  being 
finite-accepting  if  for  every  run  that  ends  in  q  there  is  axKsther  run  on  the  same  input  that 
ends  in  a  finite-accepting  state. 


Infinite-accepting  Promotion.  A  non-infinite-acoepting  state  q  can  be  promoted  to  being 
infinite-accepting  if  for  every  run  that  contains  q  infinitely-often  there  is  a  run  (perhaps 
the  mwKt  one)  on  the  same  input  that  contains  some  infinite-acoepting  state  infinitely 


Finally,  an  automattsn  state  may  serve  many  roles.  By  splitting  such  a  state  into  several 
copies,  we  can  separate  these  roles  and  then  use  Pruning  to  remove  transitions  or  Grmbining 
to  combine  some  of  the  copies  with  other  automaton  states. 

Splitting:  Replicate  an  automaton  state  and  all  transitions  into  and  out  of  it. 

Splitting  does  not  change  the  set  of  sequences  accepted  by  a  property  recognizer,  but  it  does 
put  the  recognizer  into  a  form  where  Pruning  and/or  Gmbining  can  be  used  to  move  towards 
a  deterministic  refinement.  Splitting  is  illustrated  in  Figure  8-3. 

It  is  not  always  necessary  to  construct  the  acmal  deterministic  refinement  of  a  given 
non-dcterministic  property  recognizer.  Rather,  it  suffices  to  use  Pruning,  Combining,  and 
Splitting  to  obtain  a  ucn-deterministic  property  recognizer  for  a  property  that  is  also  accepted 
by  some  deterministic  property  recognizer.  We  can  tben  apply  one  of  the  known  (automadc) 
tTTOcexiures  to  produor  a  deterministic  property  recognizer  that  is  equivalent  to  the  given 
aon-detcrministic  one  [Landweber  69]. 


mmm 


Before 


Figure  8.3.  Splitting 


^Sudi  pracedura  also  iatficate  if  Uiere  is  ao  detenasiscic  propery  ffcogni/g  for  Use  givea  aaa-detaimiutic 
CDB.  Then  adefinonai  Prunmg,  Camhmg,  tod  Splittiag  must  be  dosiE. 


9.  Diacnssion 


We  have  shown  how  to  decompose  a  property  into  proof  obligationa.  Since  properties 
and  proof  obligations  can  be  formalized  using  temporal  logic,  our  approach  describes  how  to 
break  up  the  task  of  showing  that  a  program  satisfies  one  temporal  formula — the  property — 
into  showing  that  the  program  satisfies  a  number  of  simpler  temporal  formulas — the  proof 
obligations.  Simulation  Basis  (4.6),  Fmite  Acceptarrce  (4.8),  and  Knot  Exit  (4.9)  are  tern* 
poral  formulas  because  they  are  predicate  logic  formulas.  The  remaining  two  proof  obliga¬ 
tions,  Simulation  Induction  (4.7)  and  Knot  Variance  (4.10),  can  be  formulated  in  temporal 
logic,  as 

Temporal  Simulation  Indncdon:  For  all  /:  ^  Q'. 

D(C,  ^  0(  V  (T-y  A  c^))),  (9.1) 

Temporal  Knot  Variance:  For  all  reject  knots  k  and  all  (  k: 

D((C,A0<y,(^,)  =  V)  ^  0(,  A  ((r^AC,)^v,(^^)<V)))  (9.2) 

where  D  denotes  the  temporal  operator  “teweforth”  and  O  denotes  “next”. 

Other  investigations  into  decomposing  temporal  properties  include  [Barringer  et  aL  84], 
[Gerth  84],  [Jones  83],  [Misra  et  aL  82],  [Nguyen  et  aL  85]  and  [Stark  84].  Most  of  that 
work  is  concerned  with  decomposing  various  classes  of  global  temporal  properties  of  a  system 
into  local  properties  of  the  system  components,  resulting  in  so-called  compositional  proof  sys¬ 
tems.  The  work  in  [Gerth  84]  is  most  dmilar  to  cun  in  that  the  primitive  formulas  into 
which  temporal  properties  are  decomposed  resemble  triples.  That  work,  however,  is  con¬ 
cerned  only  with  finite  sequences  (both  as  properties  and  programs)  and  therefore  does  not 
address  the  problem  we  are  most  concerned  with. 

We  chose  to  express  the  proof  obligations  as  triples  rather  than  as  temporal  logic  formu¬ 
las  because  our  experience  is  that  people  have  less  trouble  understanding  and  manipulating 
triples.  Moreover,  the  relation  between  triples  and  the  program  text  is  always  clear — when  a 
proof  obligation  formulated  as  a  triple  carmot  be  proved,  there  is  little  question  where  in  the 
program  to  start  looking.  This  is  not  the  case  for  formulas  of  temporal  logic,  because  they  do 
not  explicitly  mention  the  program.  Finally,  we  hope  to  integrate  our  approach  with  methods 
CO  develop  a  program  and  its  proof  of  corTectae.ss  hand-in-hand,  as  discussed  in  [I^jkstra  76] 
[Gries  81].  These  methods  are  formulated  in  terms  of  triples,  so  it  made  sense  for  us  to 
remain  in  that  framework. 

Considering  our  proof  obligations  from  a  temporal  viewpoint  does  offer  some  insights. 
Temporal  Knot  Variance  (9.2)  requires  that  execution  of  every  atomic  action  cause  the  value 
of  a  variant  function  to  decrease,  thereby  ensuring  progress  is  made  towards  accepting  the 
history.  Without  making  assumptions  about  fairness,  this  is  the  only  way  to  ensure  that  all 
infinite  histories  leave  a  reject  knot  because  an  atomic  action  that  does  not  decrease  any 


■  .v.vvv^ 


-33 


variant  function  can  be  repeated  indefinitely,  resulting  in  a  history  that  is  not  accepted  by  the 
property  recognizer.  Thus,  while  we  would  be  happy  to  establish 

D((C,aO<v,(^,)=V)  ^  0(  A  i(TijACj)^v^(qj)<V))), 

(where  0  denotes  eventually),  without  making  fairness  assumptions,  we  are  forced  to  demon¬ 
strate 

D((CfA0<v^(^,)=V)  0(^  A  _^((TyAC;)=»v^(^y)<V))).  ^9  4^ 

However,  if  we  can  malte  assumptions  about  fairness,  then  we  need  not  prove  (9.4),  in  order 
to  establish  (9  J).  Instead,  it  suffices  to  prove  that  certain  helpful  processes  that  do  decrease 
the  variant  function  are  eventually  executed  and  that  executing  other  processes  does  not 
increase  the  variant  function.  This  method  is  formalized  as  temporal  logic  inference  rules  in 
[Manna  &  Pnueli  84]  one  rule  for  each  type  of  fairness  (e.g.  weak  fairness,  strong 
fairness)— and  can  be  adapted  to  our  approach  by  replacing  Knot  Variance  (4.10)  with  the 
hypotheses  of  the  appropriate  inference  rule.  These  hypothesia  are  easily  formulated  as  predi¬ 
cate  logic  formulas  and  triples.  This,  then,  provides  a  second  way  in  our  approach  to  prove  a 
property  P  under  a  fairness  assumption  F.  The  first  (section  4),  was  to  construct  the  property 
recognizer  (cr  F»P  and  show  that  the  proof  obligations  it  defines  are  satisfied;  the  second,  is 
to  construct  a  property  recognizer  for  P  and  extract  proof  obligations  from  it,  except  with  the 
Knot  Vaiianoe  ^4.10)  obligation  replaced  by  the  hypotheses  from  the  appropriate  temporal 
logic  inference  rule. 

One  difference  between  our  approach  and  most  temporal  logic  verification  methods  is 
the  treatment  of  terminating  executions.  We  handle  terminating  executions  by  explicitly  deal¬ 
ing  with  finite  sequences  of  program  states;  it  is  inconvenient  to  deal  with  finite  sequences 
using  temporal  logics  that  indude  a  “next"  operator,  so  finite  sequences  are  usually  extended 
to  be  infinite  sequences.  Unfortunatdy,  this  extension  can  cause  problems  because  the  infin¬ 
ite  sequence  might  not  satisfy  a  property  that  the  original  (finite)  one  did.  For  example,  a 
common  way  to  extend  a  finite  sequence  to  an  infinite  one  is  by  replicating  the  last  state.  A 
property  like  “the  value  of  the  program  counter  changes  between  two  successive  states”, 
though  true  of  a  finite  sequence,  does  aot  hold  for  an  infinite  sequence  obtained  by  replicating 
the  last  state  of  a  finite  sequence.  Other  ways  to  exmnd  finite  sequences  hasw  similar  prob¬ 
lems. 

Another,  related,  approach  to  verifying  that  a  program  satisfies  a  property  is  model 
checking  [Carke  et.  aL  83]  [Emerson  <&  Lei  85]  [Lichtenstein  Sc,  Pnueli  85],  where  a  program 
tr  is  viewed  as  specifying  a  Kripke  structure  )C.,r*  ^ir  ^  *  modd  for  P  if  and  only  if  sr  satisfies 
P.  Thus,  to  determine  if  tr  satisfies  P  it  suffices  to  check  whether  is  a  modd  for  P,  and 
this  amounts  to  checking  each  state  in  the  state  space  to  see  which  sub-formulas  at  P  hold  in 


r-; 


chat  state.  Determining  whether  if  )C^  is  a  model  for  P  tequires  time  linear  in  both  the  length 
of  P  and  the  size  of  the  program  state  space. 

Recently,  [Vardi  &  Wolper  85]  observed  that  can  be  viewed  as  a  Buchi  automata^ 
that  aorpts  exactly  the  histories  of  tr.  From  this  automaton  and  one  that  recognizes 
sequences  satisfying  ^P,  a  Buchi  automaton  can  be  constructed  that  accepts  all  his¬ 

tories  of  ir  not  satisfying  P.  The  decision  procedure  for  the  emptyness  problem  for  ^^p  can 
rhen  be  used  to  determine  if  rr  satisfes  P)  the  decision  procedure  is  exponential  in  the  length 
of  P  and  linear  in  the  size  of  the  program  state  space. 

The  drawback  to  both  these  methods  is  that  they  require  time  linear  in  the  size  of  the 
state  space.  (The  fact  that  the  second  method  is  exponential  in  the  length  of  ?  is  inconse¬ 
quential  due  to  the  relative  size  of  the  program  state  space.)  They  are  practical  only  for 
those  applications  where  the  program  state  space  is  of  a  manageable  In  our  approach, 
rather  than  check  every  state  in  the  state  space,  the  state  space  is  pardhoried  into  equivalence 
Hassgs  defined  by  the  correspondence  invariants.  The  number  of  correspondence  invariants  is 
exponential  in  the  length  of  P,  since  there  is  one  for  each  state  in  mp;  the  number  of  proof 
obligations  is  linear  in  the  size  of  the  program.  Thus,  with  our  method,  the  number  of  proof 
obligations  incurred  for  a  deterministic  property  is  exponentiai  in  the  length  of  P  and  lirv^ar  in 
the  size  of  the  program.  Since  the  size  at  the  program  is  likely  to  be  substantiaJly  smaller 
than  the  size  of  the  state  space,  our  approadi  is  rather  attractive.^  Even  for  non-detenninistic 
properties,  the  number  of  proof  obligations  incurred  with  oux  &ppm8cfa  is  bounded  by  the  size 
of  the  state  space  (see  Appendix).  Thus,  our  approach  is  comparable  to  the  model  checking 
approaches  for  this  case. 

Of  course,  verification  is  only  necessary  if  synthesis  is  not  possible.  Techniques  to  syn¬ 
thesize  the  synchronization  portion  of  a  finite-state  concurrent  program  from  a  propositional 
temporal  logic  specification  are  given  in  [Garke  &  Emerson  81]  and  [Manna  &  Wolper  84]. 
The  latter  technique  is  most  closely  related  to  the  work  of  this  paper,  since  it  is  based  on 
linr.ar  time  temporal  logic.  In  it,  a  model  graph  tor  a  property  P  is  constructed  and  then  con¬ 
verted  into  a  program.  This  model  graph  is  just  a  property  recognizer.  Resthetiou  to  propo¬ 
sitional  specifications  is  not  a  problem  for  syndironizers,  but  is  not  sufficient  for  specifying 
many  properties  of  programs;  e.g.  the  relation  between  the  program's  input  and  output. 


*RecaIl.  Buds  automau  are  special  cases  at  property  recognizos. 

“We  awene  ’Jut  Jk  cat  of  dedding  Jie  validty  of  a  Boare  triple  is  constam.  This  is  reasouble  for  pur¬ 
poses  of  comparison  because  in  Jie  model  diecking  appioaUi  the  ability  to  decide  Jie  validty  of  an  izoplicaban  in 
constam  time  follows  from  the  restiictian  to  propoiaaaal  temporal  logic. 


10.  Condnaiona 


A  new  approach  to  proving  teaoporal  propertiea  of  concurrent  programs  was  described. 
The  approach  is  baaed  on  spedfying  properties  using  automata,  called  property  recognizers. 
Property  recognizers  are  quite  expressive — any  linear-time  temporal  logic  formula  can  be  for¬ 
mulated  as  a  property  recognizer.  Proof  obligation  for  a  property  are  extracted  directly  from 
the  recognizer  for  that  property.  The  proof  obligations  are  predicate  logic  formulas  and  tri¬ 
ples.  Thus,  temporal  inferenoe  is  not  necessary  for  proving  temporal  properties.  In  fact,  the 
same  tedmiques  that  work  for  proving  total  correctness  of  sequential  programs  [Hoare  69] 
[Dijkstra  76]  can  be  used  for  proving  arbitrary  temporal  properties  of  concurrent  ones.  When 
proving  total  correctness  of  a  loop  in  a  sequential  program,  a  loop  invariant  and  variant  func¬ 
tion  must  be  devised  and  checked.  When  our  method  is  used  to  prove  that  some  arbitrary 
temporal  property  holds  for  a  concurrent  program,  correspondence  invariants  and  variant 
functions  must  be  devised  and 

Our  approach  was  illustrated  on  some  standard  examples:  incrementing  x  by  2  in  parallpii 
[Owicki  &  Grics  76]  and  .Mutual  Exclusion,  Starvation  Freedom,  and  Fust-come,  First-served 
for  Peterson’s  solution  to  the  critical  section  problem  [Peterson  81].  Property  outlines  were 
proposed  as  a  succinct  way  to  represent  a  program  and  its  correspondence  invariants  for  a 
given  property  recognizer. 


Acknowledgxnests 

D.  Gries,  L.  Lampon,  and  P.  Panmgmtea  made  hdpfui  ctsnzBeaa  aa  an  earlie  draft  of  diu  paper. 

Referenca 

[Alpem  Sfi\  Alpem,  B.  Ccmmictmg  prtxrf  obligaaons.  I^D.  Thesis.  Depanmeat  of  Computer  Sdeace,  Cemefl 
University.  In  preparatioBi. 

[Bamnger  et  ai.  84]  Barrings,  H,  R.  Kuiper,  and  A.  Pmidi.  Now  you  may  i-jgiip.  w  temporal  lOgk  spedfica- 
dons.  Prae.  Sixteemh  Kimai  Sympasiim  an  Theory  of  Canpnaitf,  Waahingtoa,  D.C,  April  1984,  51- 
63. 

[CarJee  Emoson  81]  Carlce,  E.M.  and  E.A  FmerscBi.  Design  and  synthesis  of  synchramzadon  skdetons 
using  brandling  dine  '.emporal  logic.  Lo^ie  of  Prograiu  (D.  Kocen  ed.).  Lecture  Notes  in  Computer 
Saence  Vol.  131,  Springe  Verlag,  Berlin,  19ffl,  32-71. 

[Carlce  et.  ai.  S3]  Carlce,  E..VL,  H.A.  Hzneson,  and  A  ?.  SbiJa.  Automatic  voifkadon  of  finite-state  con- 
current  systems  using  temporal  logic  spoafkadons:  A  practical  approach.  Proceedings  of  i/w  lOOx  ACM 
Synposimn  an  Principies  a( Programming  Languages,  Austin,  January  1983,  117-126. 

[Dijkstra  76]  Dijkstra,  E.W.  A  Discipiine  of  Pragraswung,  Prentice  Hail,  Englewood  Ciffi,  NJ,  1976. 

[Eilenbeg  74]  Eilenberg,  S  Autanuua,  Languages  and  Machines,  Voi  A.  Academic  Press,  New  York,  1974. 

[Emerson  Ld  85]  Fmmm,  E.A.,  and  CL  Ld.  Modalides  for  modd  checking:  Branching  ame  strikes  back. 


FraeeedtHgs  a(  the  12th  ACd  Symposimt  an  Prineipies  of  Progratmin^  Languages,  New  Orleans,  Janu¬ 
ary  1983,  pp.  84-96. 

[Gerth  84]  Genh,  R.  Transidan  logic.  Proe.  Sixteenth  Aivaiai  Sympasiten  an  Theory  <4  Conducing,  Washington, 
D.C,  April  1984,  39-3a 

[Gries  81]  Gries,  D.  The  Science  of  Pragranming.  Springe- Verlag,  NY,  1981. 

[Hoare  69]  Hoare,  CA.R.  An  aziamadc  basis  for  computer  programming.  Cananun.  ACM  12,  10  (Oct.  1969) 
576.390. 

[J&pcrcft  &  unman  79]  Hoperoft,  J.E.  and  J.D.  Unman.  Introduction  to  Autamota  Theory,  Longuages  atki  Cam- 
putoaon.  Addson-Wesiey  Publishing  Company,  1979. 

[Jones  83]  Jones,  CB.  Spedikadon  and  design  of  (paraHei)  prngrami-  h^armoaon  Processing  'S3,  CR.E.A. 
Mason,  ed.)  Not^HoUand  Publishing  Company,  Amsterdam,  1983,  321*332. 

[Lamport  80]  Tampnrt,  U  The  “Hoare  logid  of  conpirreni  program*,  .vrw  Ii^ormadca  14,  1  (1980)  pp.  21-37. 

[Lamport  83a]  Lamport,  L  What  good  is  tanporai  logic.  It^ormoaon  Processing  ’S3,  (TI.E.A.  Mason,  ed.) 
Ncrth-Holland  Publishing  Company,  Amsterdam,  1983,  637-668. 

[Lamport  83b]  Lamport,  L  Sprrifytng  conacTgg  program  mnrtiiles.  ACV  5,  2  (April  1983),  190*222. 

[Lamport  A  Schndder  84]  Lamport,  L  and  RB.  Schneider.  The  “Hoare  Logic'  of  CSP,  and  All  That.  Add 
Transaedoni  an  Progranming  Languages  and  Systenu  6,  2  (April  1984),  281-296. 

[Landwebe  69]  Landwebe,  LH.  Decision  prohlems  for  ot-automata.  Syrim  TVory  i,  (1969),  376-384. 

[Lichtenstein  A  Pnueli  83]  Lichtenstein,  O.  and  A.  Pnueii.  CVriring  dtat  finite  state  concumsn  programs 
satisfy  their  ]iniat  spmficadon.  Proceedings  cf  the  !2th  ACM  Sympositen  an  Princtpks  Prognemning 
Laiguages,  New  Orleans,  January  1983,  97-107. 

[Manna  <ft  Pmdi  81a]  Manna,  Z.  and  A.  PnueiL  Vertficadod  at  concurrent  programs:  The  temporal  franse- 
work.  The  Correctness  Probiem  in  Computer  Science  (TLS  Boyer  and  J.S  Moore,  eds.),  Intemadonal 
Lecture  Series  in  Computer  Science,  Academic  Press,  London.  1981,  141-134. 

[Manna  <ft  Pnueii  81b]  Maxma,  Z.  and  A.  Fnudi.  Verificadon  of  concurrem  programs:  Temporal  proof  princi¬ 
ples.  Logie  of  Pregrmns  (D.  Kozeo  ed),  Lecture  Notes  in  Computer  Science,  Vol.  131,  Springer- 
Verlag,  Berlin,  1981,  200*23Z 

[Manna  A  Pnueii  83]  Manna,  Z,  and  A.  Pmidi.  How  to  cook  a  temporaJ  proof  system  for  your  pet  language. 
Proe.  <4  the  Sympasiian  an  Prineipies  4  Progroeaening  Languages,  ACM,  Austin,  Jan.  1983. 

[Manna  A  Pnudi  84]  Manna,  Z.  and  A.  PmieJi.  Adequate  proof  principles  for  invariance  and  liveness  properdes 
of  concurrent  programs.  Science  4  Canputer  Progranmutg  4  (1984),  237-289. 

[Manna  &  Wolper  84)  Manna,  Z  and  P.  Woiper.  Synthesis  at  communicadng  from  tempcrai  logk 

specificadons.  ACM  Transactions  on  Pragraiuning  Languages  and  Systems  6,  1  (Jan.  1984),  6^93. 

[Misra  et  al.  82]  Vfisra,  J.,  K.M.  Qiandy,  and  T.  Smith.  Proving  safety  and  livoess  cf  communicadng 
processes  with  examples.  Proe.  ACM  SICACT-SICOPS  Symposuan  an  Prixipies  4  Distributed  Canput- 
uig,  Ottawa,  Canada,  August  1982,  137-164. 

[Nguyen  et  al.  83]  Nguyen,  V.,  0.  Gries,  S  Owicld.  A  model  and  temporal  proof  system  for  networla  of 
processes.  Proceedings  4  <he  I2ih  ACM  Sympositon  an  Prineipies  4  Progrmnming  Langiuges,  New 
Orleans,  Jan.  1983,  121-131. 

[Owicld  (S:  Gries  76]  Owicld,  SS  and  D.  Gries.  An  axiomadc  proof  technique  for  parallel  programs  L  .‘icta 
I4annadea  6,  (1976),  319-340. 

[Owicld  A  T  ainpai  82]  Owicld,  SS.  and  L  I-unpuiL  Proving  livosess  properdes  cf  mnriTi-fiTit  programs. 
ACM  Transactions  on  Pragnunming  Languages  and  Systems  4,  3  (July  1982),  433-496. 

[Peterson  81]  Peterson,  GL  Myths  about  the  mutual  adusion  problem.  14armadan  Processing  Letters  12,  3 
(June  1981),  113-116. 

[Pmidi  77]  Pnudi,  A.  The  temporal  logic  of  programs.  Proe  4  he  I8th  Symposuan  an  the  Fatmdatians  4  Cane- 
puter  Seiexe,  i  k,  Providence  R.L,  Nov.  1977,  4&S7. 

[Pnudi  86]  Pnudi,  A.  In  transidan  from  global  to  modular  temporal  reasoning  about  programs.  In  Current 
Trends  in  Canewreney,  Lecture  Notes  in  Computer  Scienee,  Springer- Verlag,  Berlin,  1896,  To  appear. 

[Ihiudi  A  Manna  83]  Pnudi,  A.  and  Z.  Manna.  Proving  prncedenrr  properdes:  The  temporal  way.  Proe  lOth 


-37- 


CailoquutH  an  Auiofuu-i,  Langiupcs  ca^  Progranmtng.  Lecture  Notes  in  Computer  Sdesce  Vol.  154, 
Springer  Verlag,  Berlin,  1983,  490510. 

[Surk  84]  Stark,  RW.  Foundadons  of  a  Oseory  of  sperificaticn  for  ifsmbuted  systems.  Fh.O.  Thesis,  M.LT. 
Lafaoratary  for  Computer  ^^’***^  MrT/LCSTR-342,  August  1984. 

[Yard  Wolper  SS]  Yard,  M.Y.  and  P.  Woips.  Applications  at  temporal  logic  An  autamata<chearetic  perspec¬ 
tive.  In  preparation. 

[Wolper  83]  Wolper,  P.  Tonporal  logic  can  be  more  opressive.  Ii^amaaon  and  Cantroi  56,  1-2  (1983),  72-99. 
[Wolper  84]  Wolper,  P.  The  tableau  "whnH  far  temporal  logic  An  overview.  Unpublished  manuscript. 

Appendix:  Soundness  and  ReladTe  Completeness 

The  soundness  and  relative  fwmpIrteooM  d  our  approach  is  shown  below.  We  fint 
show  that  the  proof  obligations  of  section  4  for  deterministic  property  recognizers  are  sound. 
We  then  show  that  they  are  complete  relative  to  predicate  logic  and  Hoare’s  partial  correct¬ 
ness  logic.  Since  partial  cni-reiTmeM  logic  is  known  to  be  complete  relative  to  predicate  logic, 
our  proof  obligations  arc  complete  relative  to  predicate  logic.  Next,  we  show  that  the  proof 
obligations  of  section  8  for  non-dcterministic  property  recognizers  arc  also  sound,  and  finally 
that  they  are  complete  relative  to  our  approach  for  deterministic  properties. 

Deterministic  Property  Recognizers 

Sonndnesi  Theorem:  If  for  a  program  tr  and  determinisne  property  recognizer  mp  for 
property  P  there  are  correspondence  invariants  and  variant  functions  such  that  Simulation 
Basis  (4.6),  Simulation  Induction  (4.7),  Finite  Acoeptance  (4.8),  Knot  Exit  (4.9),  and 
Knot  Variance  (4.10)  are  valid,  then  ir  satisfies  P. 

Proof.  Assume  that  the  proof  obligations  are  valid  for  some  correspondence  invariants  and 
variant  funcnons  and  that  a  is  a  history  of  tr.  We  must  show  that  a  satisfies  P. 

By  induction  on  n, 

5‘(^o.  ^  c'<(«y("D 

due  CO  Sinwilatirm  Basis  (4.6)  and  Simulation  Induction  (4.7).  A  similar  inductive  argument 
shows  that  ffip  cannot  attempt  an  undefined  transition  when  reading  7[n]. 

We  now  show  that  if  a  is  finite  then  it  is  accepted  by  nip.  Without  loss  of  generality,  let 
(T{n]  be  the  final  state  of  <t.  We  must  show  5‘'(^o»  ^  C/&r  D**  to  Fmitc  Acceptance 

(4.8),  if  <r{..nD  is  a  non-finite-acoepting  state,  then  rr  cannot  be  blocked  in  (7{ii]  and 
this  contradicts  the  assumption  that  <r{n]  is  the  final  state  of  a.  Thus,  we  conclude  that 
5'(^o>  ^  ^  finite-accepting  state,  and,  by  definition,  mp  accepts  a,  hence  or  satisfies  P. 

Finally,  we  show  that  if  a  is  infinite  rhgn  it  is  accepted  by  nip.  By  Knot  Exit  (4.9)  and 
Knot  VaiianoB  (4.10),  if  nip  enters  a  reject  knot  k  upon  reading  <7{n],  then  it  must  exit  k 
before  reading  die  «-t-v,,(5*(^0,  <!(..«]),  ^(b])*^  symbol  of  <t.  By  the  definition  of  a  reject 
knot,  ffip  cannot  reenter  n  after  exiting  it  without  first  entering  an  infinite-acoepting  state. 


Since  there  are  finitely  many  reject  knots  and  <r  is  infinite,  must  enter  an  infinite* 
accepting  state  infinitely  often.  Thus,  by  definition,  will  accept  o,  hence  a  satisfies  P.  C 

Rdadve  Completenesi  Theorem:  If  a  program  rr  satisfies  a  property  P  that  is  accepted 
by  a  deterministic  property  recognizer  mp,  then  there  exist  correspondence  invariants  and 
variant  functions,  for  which  Simulation  Basis  (4.6),  Simulation  Induction  (4.7),  Finite 
Acceptance  (4.8),  Knot  Exit  (4.9),  and  Knot  Variance  (4.10)  are  valid. 

Proof.  Assume  mp  accepts  every  history  of  ir.  We  must  show  that  (4.6) -(4. 10)  for  ir  and 
mp  are  valid. 

Chose  correspondence  invariants  and  variant  functions  as  follows.  Let  be  the  set  of 
histories  of  ir.  First,  for  each  automaton  state  qi,  define 

C,(r)  *  (3cy.  a:  0^«:  r=a[nl  a  5*(^o,  a(..n])=9/)* 

Thus,  C,(r)  holds  for  a  program  state  s  if  and  only  if  there  is  some  history  of  ir  in  which  s 
caused  mp  to  make  a  transition  to  q/.  Next,  for  each  reject  knot  k  and  each  q/  (  k,  define 

0,  a  Blodud^s)  V  -^Ci(s) 

l+max(3o,  a:  0:S«:  i=o(n]  a  8*(4o» 

•»)  ■  ^  ->  Blocked ^((ix[n^v])  a  (Vy:  Osj^v:  8*(^o» ^  *)) 

if  Blocked a  Ci(s) 

V 

Thus,  r)  is  the  maxirmim  number  of  atomic  actions  ir  can  execute  when  in  state  s  and 
mp  is  in  qi  before  mp  will  halt  or  leave  k. 

It  remains  is  to  prove  that  (4.6)— (4.10)  are  valid  with  these  coriespundence  invariants 
and  variant  functions.  We  consider  each  proof  obligation  in  turn. 

Slmuladon  Baais  (4.6).  Since  ir  satisfies  P,  every  initial  state  of  ir  must  satisfy  some 
transition  predicate  Tqj.  By  construction,  this  initial  state  will  also  satisfy  Cj.  Thus,  (4.6)  is 
valid. 

Sinraladon  Indncdon  (4.7).  Consider  any  program  history  o  and  suppose 
5*(90t  ^  some  n.  By  construction,  C,((r{n]).  Consider  an  atomic  action  a  from 

that  terminates  in  a  state  r'  when  started  in  state  ofn].  dearly,  or'  is  the  prefix  of  some 
history  a'  of  ir.  Since  mp  accepts  every  history  of  ir,  mp  must  accept  o' ,  so  there  must  exist 
an  automaton  state  qj  such  that  tr'^n+l]  satisfies  By  construction,  Cy((7'[n-4-l]).  So,  we 
have  shown  (C,)  a  v  atomic  action  that  terminates  when  started 

in  a  state  satisfying  Cf.  Since  {CJ  a  {Tjj/^Cj}  is  valid  for  any  atomic  action  <x  that  does  not 
terminate  when  started  in  a  state  satisfying  C,,  we  have  shown  that  (4.7)  is  valid. 


Finite  Acceptance  (4.3).  Gmsider  any  program  state  <7[/t]  in  some  history  a  of  ir.  Sup¬ 
pose  5*(^o>  ‘^(••^1)  Thus,  by  construction  C^(<T[n]).  If  qj  —  then  ct[/i]  also  satis¬ 
fies  locked ^  (Dtberwise,  <r[n]  would  have  to  be  the  final  state  of  a,  which  would  cause 
mp  to  reject  cr,  contradicting  the  assumption  that  every  history  of  -ir  is  accepted  by  mp.  Thus, 
Cj=>^  Blociud^  is  valid,  so  (4.8)  is  valid. 

Knot  Exit  (4.9).  The  proof  that  (4.9)  is  valid  is  trivial,  by  construction  of  v^. 

Knot  Variance  (4.10).  If  a  does  not  terminate  when  started  in  a  state  satisfying  some 
correspondence  invariant  for  an  automaton  state  then 

{C,  Av^(^,.)  =  V}  a  ^  (20.1) 

is  trivially  valid. 

Suppose  a  does  terminate  and  terminates  in  state  s'  when  started  in  state  s.  Thus,  there 
must  exist  a  history  and  an  integer  such  that  ojn  J  =  s  and  8'(^o»  =  <?(•  There 

also  must  exist  a  history  ot  integer  ni  such  that  <T-[nJ  =  s’ ,  5*(^o»  ~  9;» 

(ij:  0^J^v^(qj,  s’):  and  ->Blockgd^(a2[v^(qj,  s’)]).  Let 

or  =  <Ti[0..n  Slna  a  terminates  in  s'  when  started  in  state  j,  <r  is  a  history  of  it. 

By  the  construction  of  v^,  we  conclude  v^{qj,  s')+l:S,v^(jq(,  s).  So,  (10,1)  is  valid.  □ 

Non-detenniniatic  Property  Recognizera 

The  Soimdness  Theorem  for  non-deterministic  property  recognizers  shows  that  construct¬ 
ing  a  deterministic  refinement  suffices  for  proving  the  non-deterministic  property  of  interest. 
The  Soundness  Theorem  for  deterministic  propet  ty  recognizers,  then  allows  us  to  oonciude 
that  satisfying  the  proof  obligations  extracted  from  this  deterministic  refinement  arc  suffi¬ 
cient.  Gjmplctcness  for  non-deterministic  property  recognizers  involves  showing  that  if  a  pro¬ 
gram  tr  satisfies  a  property  specified  by  a  non-deterministic  property  recognizer  then  it 
is  always  possible  to  construct  a  deterministic  refinement  of  by  using  Gnnbining,  Prun¬ 
ing,  and  Splitting. 

Soundness  Theorem:  If  a  non-deterministic  property  recognizer  for  a  property  SD 
can  be  refined  to  a  deterministic  property  recognizer  mp  for  a  property  D  by  using  Prun¬ 
ing,  Splitting,  or  Gimbining,  then  if  program  ir  sadsfiea  D,  it  will  also  satisfy  ffD. 

Proof.  Suppose  can  be  obtained  from  using  a  single  refinement  step.  If  Splitting  is 
used,  then  ihq  and  accept  exactly  the  same  sequences.  If  OTmbining  is  used,  then  by  the 
definition  of  Combining  /rq  and  accept  exactly  the  same  setpienoes.  FmaJly,  if  Pruning 
is  used,  then  accepts  every  sequence  accepted  by  mjj  becattse  Pruning  can  only  result  in  a 
refinement  that  rejects  more  sequences  than  the  originaL  Thus,  if  ir  satisfies  property  D,  it 
must  also  satisfy  ND.  The  theorem  then  follows  by  induccian  of  the  number  of  refinement 


stqa  needed  to  obtain  ° 

RdadTe  Completenea  Theorem:  If  program  tr  has  a  finite  state  space  and  satisfies  some 
property  ND  that  is  accepted  by  a  non-detenninistie  property  recognizer  m^,  then  there 
exists  a  deterministic  refinement  of  that  ir  satisfies. 

Proof.  Pint,  we  construct  a  deterministic  property  recognizer  that  the  his¬ 

tories  of  It.  Define  to  be  {S^,  5,.j{xtart},  {jMjt},  Blocked^,  5^) ,  where  S,  is  the  set 
of  program  states  of  rr  and 

i -(start,  s)=s  ]£[  s  satisfies  and 

5,(.r,  r')  =  /  iff  there  is  an  atomic  action  of  -ir  enabled  in  s  that  terminates  in 

Clearly,  accepts  exactly  the  histories  of  rr. 

We  can  use  to  refine  /hvd  =  {S^,  Q,  Qq,  Qj^  8*®).  Let  m.vDx,  be  the  property 
recognizer  Q x (5,o{j*art}),  QQX{start},  Qi^xS,,,  Qf^xBlodud,,,  8vdxJ,  where 

{q',  s')  «8.vDxff«?,  s),  •f')  iff  <?'  «8vd(4. 

Note  that  my^xtr  be  obtained  by  Splitting  each  state  of  m^,  into  one  copy  for  «irh  state 
of  and  then  using  Pruning. 

ffiiypx?  accepts  exactly  those  sequences  that  are  histories  of  ir  (hence,  accepted  by  m^) 
and  accepted  by  Since  ir  satisfies  SD,  every  history  of  ir  is  accepted  by  m^.  Thus, 
ffivQxir  recognizes  the  same  set  of  sequences  as  We  can  now  use  Combining  to  obtain 
from  'R.vqxt — ^  states  of  the  same  second  component  are  combined  together.  Since 
is  deterministic  and  accepts  every  history  of  ir,  we  have  shown  how  to  obtain  a  deterministic 
refinement  for  m^.  □ 


